Commit 841946be authored Sep 23, 2022 by Pete Bentley Committed by Android Build Coastguard Worker Nov 15, 2022

Add AID for PRNG seeder daemon.

Also adjust permissions on /dev/hw_random to allow prng_seeder group
read access.

Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label and uid/gid.
* Verify prng_seeder socket present and has correct
  label and permissions
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
(cherry picked from commit 6cb61610)
(cherry picked from commit 046a809a)
Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96

parent ec18f508

libcutils/include/private/android_filesystem_config.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -138,6 +138,7 @@
		#define AID_JC_IDENTITYCRED 1089 /* Javacard Identity Cred HAL - to manage omapi ARA rules */
		#define AID_SDK_SANDBOX 1090 /* SDK sandbox virtual UID */
		#define AID_SECURITY_LOG_WRITER 1091 /* write to security log */
		#define AID_PRNG_SEEDER 1092 /* PRNG seeder daemon */
		/* Changes to this file must be made in AOSP, not in internal branches. */

		#define AID_SHELL 2000 /* adb and debug shell user */

rootdir/ueventd.rc

+2 −0

Original line number	Diff line number	Diff line
		@@ -37,6 +37,8 @@ subsystem dma_heap
		/dev/tty 0666 root root
		/dev/random 0666 root root
		/dev/urandom 0666 root root
		# Aside from kernel threads, only prng_seeder needs access to HW RNG
		/dev/hw_random 0400 prng_seeder prng_seeder
		/dev/ashmem* 0666 root root
		/dev/binder 0666 root root
		/dev/hwbinder 0666 root root