1*e4a36f41SAndroid Build Coastguard Worker# PRNG seeder daemon 2*e4a36f41SAndroid Build Coastguard Worker# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from 3*e4a36f41SAndroid Build Coastguard Worker# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its 4*e4a36f41SAndroid Build Coastguard Worker# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a 5*e4a36f41SAndroid Build Coastguard Worker# fixed size block of entropy then disconnect. No other IO is performed. 6*e4a36f41SAndroid Build Coastguard Workertypeattribute prng_seeder coredomain; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# mlstrustedsubject required in order to allow connections from trusted app domains. 9*e4a36f41SAndroid Build Coastguard Workertypeattribute prng_seeder mlstrustedsubject; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Workertype prng_seeder_exec, system_file_type, exec_type, file_type; 12*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(prng_seeder) 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Socket open and listen are performed by init. 15*e4a36f41SAndroid Build Coastguard Workerallow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept }; 16*e4a36f41SAndroid Build Coastguard Workerallow prng_seeder hw_random_device:chr_file { read open }; 17*e4a36f41SAndroid Build Coastguard Workerallow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl }; 18