random

Stephen Smalley Wed, 30 Jan 2013 06:01:27 -0800

On 01/29/2013 11:20 AM, William Roberts wrote:

I see I misread domain.te, only urandom is allowed by domain. Isn't
random world readable though, won't we run into a compatibility issue
with those that need it? Perhaps adding this into a boolean is the
right way to go. People shouldn't have to re-write their seapp
contexts to get apps to work.


Fair enough, feel free to add it.  Not sure it justifies a boolean however.


On Mon, Jan 28, 2013 at 2:57 PM, William Roberts
<[email protected]> wrote:

random and urandom are allowed by domain, this is an MLS issue.

Try applying this patch:

diff --git a/device.te b/device.te
index 7818ce8..72c3e54 100644
--- a/device.te
+++ b/device.te
@@ -29,11 +29,11 @@ type ptmx_device, dev_type, mlstrustedobject;
  type qemu_device, dev_type;
  type kmsg_device, dev_type;
  type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
  type serial_device, dev_type;
  type socket_device, dev_type;
  type tty_device, dev_type;
-type urandom_device, dev_type;
+type urandom_device, dev_type, mlstrustedobject;
  type video_device, dev_type;
  type vcs_device, dev_type;
  type zero_device, dev_type;



On Mon, Jan 28, 2013 at 2:30 PM, Peck, Michael A <[email protected]> wrote:

A crypto (secure voice) app I am testing fails to start – it is trying to
read /dev/random:

<5>[ 2951.029571] type=1400 audit(1359410942.187:32): avc:  denied  { read }
for

   pid=2435 comm=4173796E635461736B202331 name="random" dev=tmpfs ino=4012
scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:random_device:s0
tclass=chr_file



Would it be reasonable to add a “allow domain random_device:chr_file
r_file_perms;” rule to allow all apps to read /dev/random?



I think the main threat is that a malicious app could potentially keep
reading from /dev/random and use up the entropy pool (preventing others from
reading /dev/random).



Some might say the app should use /dev/urandom instead.  At which time
others would probably then complain that /dev/urandom is “not good enough”.
Not sure that I personally want to take sides on /dev/random vs.
/dev/urandom. J



--

Michael Peck

The MITRE Corporation




--
Respectfully,

William C Roberts



--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.

Re: /dev/random

Reply via email to