Add SEPolicy for PRNG seeder daemon.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -159,6 +159,7 @@
neverallow app_zygote {
domain
-app_zygote
+ -prng_seeder
userdebug_or_eng(`-su')
userdebug_or_eng(`-heapprofd')
userdebug_or_eng(`-traced_perf')
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index c6c0c18..ad10722 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -16,6 +16,7 @@
healthconnect_service
keystore_config_prop
permissive_mte_prop
+ prng_seeder
servicemanager_prop
system_net_netd_service
tuner_config_prop
diff --git a/private/domain.te b/private/domain.te
index 3d59a27..8f43181 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -121,6 +121,9 @@
# should be used.
get_prop(domain, log_file_logger_prop)
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -498,6 +501,7 @@
-logd # Logging by writing to logd Unix domain socket is public API
-netd # netdomain needs this
-mdnsd # netdomain needs this
+ -prng_seeder # Any process using libcrypto needs this
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-init
-tombstoned # linker to tombstoned
diff --git a/private/file.te b/private/file.te
index 3f5531f..60e2274 100644
--- a/private/file.te
+++ b/private/file.te
@@ -120,3 +120,8 @@
# This executable does not have its own domain because it is executed in the caller's domain. For
# example, it is executed in the `artd` domain when artd calls it.
type art_exec_exec, system_file_type, exec_type, file_type;
+
+# Filesystem entry for for PRNG seeder socket. Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
diff --git a/private/file_contexts b/private/file_contexts
index f5d40c8..951c9b5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
/dev/socket/recovery u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/init.te b/private/init.te
index 9e50bd4..f03a138 100644
--- a/private/init.te
+++ b/private/init.te
@@ -109,6 +109,9 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
# attempt to write a non exisiting 'synthetic_events' file, when setting
# up synthetic events. This is a no-op in tracefs.
diff --git a/private/prng_seeder.te b/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect. No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };