diff options
| author | Pete Bentley <prb@google.com> | 2022-09-23 12:09:32 +0100 |
|---|---|---|
| committer | Pete Bentley <prb@google.com> | 2022-10-05 00:11:56 +0100 |
| commit | 046a809a90814bcea76aec1ec26d464db3b686dd (patch) | |
| tree | bbea1de9d7af4bd08e84a5e78e48d6fd08566a64 | |
| parent | 0024d682878417b71e117e39ae00d9aed698b428 (diff) | |
| download | core-046a809a90814bcea76aec1ec26d464db3b686dd.tar.gz | |
Add AID for PRNG seeder daemon.
Also adjust permissions on /dev/hw_random to allow prng_seeder group
read access.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label and uid/gid.
* Verify prng_seeder socket present and has correct
label and permissions
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
(cherry picked from commit 6cb61610e619e31bd22c12895ec0ca623f793127)
| -rw-r--r-- | libcutils/include/private/android_filesystem_config.h | 1 | ||||
| -rw-r--r-- | rootdir/ueventd.rc | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h index bdb807538..0030887a1 100644 --- a/libcutils/include/private/android_filesystem_config.h +++ b/libcutils/include/private/android_filesystem_config.h @@ -138,6 +138,7 @@ #define AID_JC_IDENTITYCRED 1089 /* Javacard Identity Cred HAL - to manage omapi ARA rules */ #define AID_SDK_SANDBOX 1090 /* SDK sandbox virtual UID */ #define AID_SECURITY_LOG_WRITER 1091 /* write to security log */ +#define AID_PRNG_SEEDER 1092 /* PRNG seeder daemon */ /* Changes to this file must be made in AOSP, *not* in internal branches. */ #define AID_SHELL 2000 /* adb and debug shell user */ diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc index a140c8c51..4ec59afe9 100644 --- a/rootdir/ueventd.rc +++ b/rootdir/ueventd.rc @@ -37,6 +37,8 @@ subsystem dma_heap /dev/tty 0666 root root /dev/random 0666 root root /dev/urandom 0666 root root +# Aside from kernel threads, only prng_seeder needs access to HW RNG +/dev/hw_random 0400 prng_seeder prng_seeder /dev/ashmem* 0666 root root /dev/binder 0666 root root /dev/hwbinder 0666 root root |