On Mon, Jan 28, 2013 at 5:57 PM, William Roberts <[email protected]> wrote: > random and urandom are allowed by domain, this is an MLS issue.
No, read-down is allowed by MLS. mlstrustedobject is only required for write-down or read-up. Allowing direct access to /dev/random by arbitrary apps considered harmful; put the app in a more specific domain by defining a distinct seinfo string in mac_permissions.xml and mapping to a particular domain in seapp_contexts, similar to the vpn work by Joshua et al. > > Try applying this patch: > > diff --git a/device.te b/device.te > index 7818ce8..72c3e54 100644 > --- a/device.te > +++ b/device.te > @@ -29,11 +29,11 @@ type ptmx_device, dev_type, mlstrustedobject; > type qemu_device, dev_type; > type kmsg_device, dev_type; > type null_device, dev_type, mlstrustedobject; > -type random_device, dev_type; > +type random_device, dev_type, mlstrustedobject; > type serial_device, dev_type; > type socket_device, dev_type; > type tty_device, dev_type; > -type urandom_device, dev_type; > +type urandom_device, dev_type, mlstrustedobject; > type video_device, dev_type; > type vcs_device, dev_type; > type zero_device, dev_type; > > > > On Mon, Jan 28, 2013 at 2:30 PM, Peck, Michael A <[email protected]> wrote: >> A crypto (secure voice) app I am testing fails to start – it is trying to >> read /dev/random: >> >> <5>[ 2951.029571] type=1400 audit(1359410942.187:32): avc: denied { read } >> for >> >> pid=2435 comm=4173796E635461736B202331 name="random" dev=tmpfs ino=4012 >> scontext=u:r:untrusted_app:s0:c50,c256 tcontext=u:object_r:random_device:s0 >> tclass=chr_file >> >> >> >> Would it be reasonable to add a “allow domain random_device:chr_file >> r_file_perms;” rule to allow all apps to read /dev/random? >> >> >> >> I think the main threat is that a malicious app could potentially keep >> reading from /dev/random and use up the entropy pool (preventing others from >> reading /dev/random). >> >> >> >> Some might say the app should use /dev/urandom instead. At which time >> others would probably then complain that /dev/urandom is “not good enough”. >> Not sure that I personally want to take sides on /dev/random vs. >> /dev/urandom. J >> >> >> >> -- >> >> Michael Peck >> >> The MITRE Corporation >> >> > > > > -- > Respectfully, > > William C Roberts > > > -- > This message was distributed to subscribers of the seandroid-list mailing > list. > If you no longer wish to subscribe, send mail to [email protected] with > the words "unsubscribe seandroid-list" without quotes as the message. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
