commit cf61e257a3d14f3db6b1e3c139630936475b3c6e
author Pete Bentley <prb@google.com> Fri Sep 16 15:31:39 2022 +0100
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Tue Nov 15 01:50:22 2022 +0000
tree e215b55328a767668ca8ef6d7c2369893b4cde02
parent e7b91e7f7a912b586cd94f2499e0d725b6803ee6

Add SEPolicy for PRNG seeder daemon.

Manual testing protocol:
* Verify prng_seeder daemon is running and has the
  correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
  label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
  data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
  (e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance

Bug: 243933553
Test: Manual - see above
Change-Id: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
Merged-In: I0a7e339115a2cf6b819730dcf5f8b189a339c57d
(cherry picked from commit e6da3b80d139d01ca36a96514dc0a0483b5dfc8d)
(cherry picked from commit efa9e1111adb9020b5d035954fe654e6b804a314)
Merged-In: I0a7e339115a2cf6b819730dcf5f8b189a339c57d

private/app_zygote.te

diff --git a/private/app_zygote.te b/private/app_zygote.te
index 8a62341..8aa288e 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -159,6 +159,7 @@
 neverallow app_zygote {
   domain
   -app_zygote
+  -prng_seeder
   userdebug_or_eng(`-su')
   userdebug_or_eng(`-heapprofd')
   userdebug_or_eng(`-traced_perf')

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 2ef688c..bcb9d52 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,9 @@
 # Allow all processes to check for the existence of the boringssl_self_test_marker files.
 allow domain boringssl_self_test_marker:dir search;
 
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using
@@ -496,6 +499,7 @@
     -logd # Logging by writing to logd Unix domain socket is public API
     -netd # netdomain needs this
     -mdnsd # netdomain needs this
+    -prng_seeder # Any process using libcrypto needs this
     userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
     -init
     -tombstoned # linker to tombstoned

private/file.te

diff --git a/private/file.te b/private/file.te
index c4ee2aa..cf9ea02 100644
--- a/private/file.te
+++ b/private/file.te
@@ -115,3 +115,8 @@
 # /dev/selinux/test - used to verify that apex sepolicy is loaded and
 # property labeled.
 type sepolicy_test_file, file_type;
+
+# Filesystem entry for for PRNG seeder socket.  Processes require
+# write permission on this to connect, and needs to be mlstrustedobject
+# in to satisfy MLS constraints for trusted domains.
+type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index e21c18c..65baa5d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,6 +149,7 @@
 /dev/socket/pdx/system/vr/display/manager	u:object_r:pdx_display_manager_endpoint_socket:s0
 /dev/socket/pdx/system/vr/display/screenshot	u:object_r:pdx_display_screenshot_endpoint_socket:s0
 /dev/socket/pdx/system/vr/display/vsync	u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/prng_seeder	u:object_r:prng_seeder_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/recovery    u:object_r:recovery_socket:s0
@@ -220,6 +221,7 @@
 /system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
+/system/bin/prng_seeder		u:object_r:prng_seeder_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
 /system/bin/canhalconfigurator  u:object_r:canhalconfigurator_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0

private/init.te

diff --git a/private/init.te b/private/init.te
index 997a184..17e25f8 100644
--- a/private/init.te
+++ b/private/init.te
@@ -108,6 +108,9 @@
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
 
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
+
 # Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
 # attempt to write a non exisiting 'synthetic_events' file, when setting
 # up synthetic events. This is a no-op in tracefs.

private/prng_seeder.te

diff --git a/private/prng_seeder.te b/private/prng_seeder.te
new file mode 100644
index 0000000..299e37b
--- /dev/null
+++ b/private/prng_seeder.te
@@ -0,0 +1,17 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random.  When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect.  No other IO is performed.
+typeattribute prng_seeder coredomain;
+
+# mlstrustedsubject required in order to allow connections from trusted app domains.
+typeattribute prng_seeder mlstrustedsubject;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 8e1fcf7..de529f5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -421,6 +421,7 @@
 # Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
+  -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
   -shell # For CTS, restricted to just getattr in shell.te
   -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;

public/hal_configstore.te

diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..23b04c9 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -31,6 +31,7 @@
   domain
   -hal_configstore_server
   -logd
+  -prng_seeder
   userdebug_or_eng(`-su')
   -tombstoned
   userdebug_or_eng(`-heapprofd')

public/prng_seeder.te

diff --git a/public/prng_seeder.te b/public/prng_seeder.te
new file mode 100644
index 0000000..7438452
--- /dev/null
+++ b/public/prng_seeder.te
@@ -0,0 +1,2 @@
+# PRNG seeder daemon
+type prng_seeder, domain;

public/vendor_init.te

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 57df54c..1e221ae 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -281,7 +281,8 @@
 ###
 
 # Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+neverallow_establish_socket_comms(vendor_init, {
+    domain -init -logd -prng_seeder -su -vendor_init });
 
 # The vendor_init domain is only entered via an exec based transition from the
 # init domain, never via setcon().