Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e6da3b80d139d01ca36a96514dc0a0483b5dfc8d^! / . / public
commite6da3b80d139d01ca36a96514dc0a0483b5dfc8d[log] [tgz]
authorPete Bentley <prb@google.com>Fri Sep 16 15:31:39 2022 +0100
committerPete Bentley <prb@google.com>Thu Sep 22 15:13:20 2022 +0000
tree19ade84b368358f8b8d2d9031627ffeb3eb955e3
parent397e5765e353f0e0bbf2103d133885d9119d2de7 [diff]
Add SEPolicy for PRNG seeder daemon.

Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
  label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d

diff --git a/public/domain.te b/public/domain.te
index 11a14c5..9fbef64 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -436,6 +436,7 @@
 # Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
+  -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
   -shell # For CTS, restricted to just getattr in shell.te
   -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;

diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 29bab48..886286e 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te

@@ -31,6 +31,7 @@
   domain
   -hal_configstore_server
   -logd
+  -prng_seeder
   userdebug_or_eng(`-su')
   -tombstoned
   userdebug_or_eng(`-heapprofd')

diff --git a/public/prng_seeder.te b/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/public/prng_seeder.te

@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;

diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8ddfb9..61fa686 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te

@@ -282,7 +282,8 @@
 ###
 
 # Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+    domain -init -logd -prng_seeder -su -vendor_init });
 
 # The vendor_init domain is only entered via an exec based transition from the
 # init domain, never via setcon().