On 2017-6-14 10:07 , Michael wrote:
On 2017-06-13, at 4:20 PM, Joshua Root <[email protected]> wrote:
On 2017-6-14 08:18 , Christopher Jones wrote:
Had a look into this. The ROOT source never explicitly opens /dev/random in
read/write mode. Only read only.
However, it also uses a number of external library calls, like std::rand(), and
my best bet is one of these is doing it. As writing to /dev/random is allowed,
to update the entropy pool, I don’t think this in itself is an issue.
So is it OK to add /dev/random to the allowed locations for the sandbox ?
Yes, that would be fine.
I had a look at the xnu source by the way, and writing to /dev/random on Darwin
is indeed equivalent to writing to /dev/null; the kernel doesn't use the
written data in any way.
- Josh
Odd. The manual states: "To add entropy to the random generation system, open
/dev/random for writing and write data that you believe to be somehow random."
In the past, on linux systems, I would have a shutdown script that pulled 512
bytes out of /dev/random, and saved it in a file; on restart, it would be put
back into /dev/random. But that was when it was actually possible to modify
/etc/rc and run stuff at startup.
So in Xnu, how do you ensure random data in the entropy pool? How do you seed
the random numbers so that there's some ... randomness?
(rc.local is way too late to adjust system startup. And launchd/init wants to
have some sort of hard-coded startup functions that you can't alter).
Best I can tell, the entropy pool gets 16 random bytes obtained in a
hardware-specific manner very early in the boot process.
- Josh
