diff options
| author | Pete Bentley <prb@google.com> | 2022-09-23 12:09:32 +0100 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-11-15 01:50:07 +0000 |
| commit | 841946be56adc4efb5f3ffa59ecd720a2f1de83a (patch) | |
| tree | 32ea8afca7d00238f0fa1f7e153238d0d3fe8925 | |
| parent | ec18f508f9934fc9548fff6b0532452200defdbe (diff) | |
Add AID for PRNG seeder daemon.
Also adjust permissions on /dev/hw_random to allow prng_seeder group
read access.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label and uid/gid.
* Verify prng_seeder socket present and has correct
label and permissions
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
(cherry picked from commit 6cb61610e619e31bd22c12895ec0ca623f793127)
(cherry picked from commit 046a809a90814bcea76aec1ec26d464db3b686dd)
Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
| -rw-r--r-- | libcutils/include/private/android_filesystem_config.h | 1 | ||||
| -rw-r--r-- | rootdir/ueventd.rc | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h index bdb807538..0030887a1 100644 --- a/libcutils/include/private/android_filesystem_config.h +++ b/libcutils/include/private/android_filesystem_config.h @@ -138,6 +138,7 @@ #define AID_JC_IDENTITYCRED 1089 /* Javacard Identity Cred HAL - to manage omapi ARA rules */ #define AID_SDK_SANDBOX 1090 /* SDK sandbox virtual UID */ #define AID_SECURITY_LOG_WRITER 1091 /* write to security log */ +#define AID_PRNG_SEEDER 1092 /* PRNG seeder daemon */ /* Changes to this file must be made in AOSP, *not* in internal branches. */ #define AID_SHELL 2000 /* adb and debug shell user */ diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc index a140c8c51..4ec59afe9 100644 --- a/rootdir/ueventd.rc +++ b/rootdir/ueventd.rc @@ -37,6 +37,8 @@ subsystem dma_heap /dev/tty 0666 root root /dev/random 0666 root root /dev/urandom 0666 root root +# Aside from kernel threads, only prng_seeder needs access to HW RNG +/dev/hw_random 0400 prng_seeder prng_seeder /dev/ashmem* 0666 root root /dev/binder 0666 root root /dev/hwbinder 0666 root root |