harden random pool for zones
/dev/urandom adds data to the entropy pool used to generate subsequent random numbers. This pool is presently a global resource, shared by all zones on the machine and with the global zone. In order to avoid even the possibility that one zone could impact the randomness observed by other zones, we should discard writes to these devices in non-global zones.
A follow-up change could choose to virtualise this resource on a per-zone basis. One might look first at
srndpool for where to begin.
Updated by Joshua M. Clulow 12 months ago
While investigating this further, I discovered that it is already not possible to even open the
/dev/*random devices for write inside a zone, let alone write to them. The device policy mechanism already prevents this access.
In the package manifests, we see:
$ ag 'driver name=random' pkg/manifests/ pkg/manifests/system-kernel.mf 250:driver name=random perms="* 0644 root sys" policy=write_priv_set=sys_devices
As seen in the device policy file:
$ grep random /etc/security/device_policy random:* write_priv_set=sys_devices
And its realised effect as confirmed with
$ getdevpolicy /dev/random /dev/urandom /dev/random read_priv_set=none write_priv_set=sys_devices /dev/urandom read_priv_set=none write_priv_set=sys_devices
And the privilege check in effect within a zone:
root@testing:~# ppriv -D -e dd if=/dev/zero of=/dev/random bs=32 count=1 | od -c dd: missing privilege "sys_devices" (euid = 0, syscall = 225) for "devpolicy" needed at spec_open+0xd5 dd: /dev/random: open: Permission denied