Public bug reported: Currently the AppArmor profiles are set up so that programs running in snappy's confinement may only open /dev/random and /dev/urandom read- only; however, it seems to be legitimate to open these devices in write mode in order to reseed the random number generator. I can find remarkably little information on this, except for the Botan source code, which attempts to write to /dev/urandom when adding entropy to the system RNG [1].
This appears to be a legitimate use of random and urandom, thus it should be supported. As it stands, no application which uses Botan's System RNG can be built into a snappy package. [1] See: https://github.com/randombit/botan/blob/master/src/lib/rng/system_rng/system_rng.cpp#L77 and also line 118. See https://github.com/randombit/botan/blob/master/src/build- data/buildh.in#L130 for the definition of BOTAN_SYSTEM_RNG_DEVICE ** Affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1629996 Title: Cannot open /dev/random and /dev/urandom for write To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1629996/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
