xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/private/prng_seeder.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# PRNG seeder daemon
2# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
3# /dev/hw_random.  When BoringSSL (libcrypto) in other processes needs seeding data for its
4# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
5# fixed size block of entropy then disconnect.  No other IO is performed.
6typeattribute prng_seeder coredomain;
7
8# mlstrustedsubject required in order to allow connections from trusted app domains.
9typeattribute prng_seeder mlstrustedsubject;
10
11type prng_seeder_exec, system_file_type, exec_type, file_type;
12init_daemon_domain(prng_seeder)
13
14# Socket open and listen are performed by init.
15allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
16allow prng_seeder hw_random_device:chr_file { read open };
17allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
18