Bug #13120
closed
harden random pool for zones
0%
Description
Writing to /dev/random or /dev/urandom adds data to the entropy pool used to generate subsequent random numbers. This pool is presently a global resource, shared by all zones on the machine and with the global zone. In order to avoid even the possibility that one zone could impact the randomness observed by other zones, we should discard writes to these devices in non-global zones.
A follow-up change could choose to virtualise this resource on a per-zone basis. One might look first at swrand_seed_random() and srndpool for where to begin.
Updated by Joshua M. Clulow 11 months ago
Note that this has been in SmartOS since 2016 with no apparent ill effect, as OS-5576 and integrated as 0fabc2be10a12b10f37299c4442814af0d668b7f in illumos-joyent.
Updated by
Updated by Joshua M. Clulow 10 months ago
While investigating this further, I discovered that it is already not possible to even open the /dev/*random devices for write inside a zone, let alone write to them. The device policy mechanism already prevents this access.
In the package manifests, we see:
$ ag 'driver name=random' pkg/manifests/ pkg/manifests/system-kernel.mf 250:driver name=random perms="* 0644 root sys" policy=write_priv_set=sys_devices
As seen in the device policy file:
$ grep random /etc/security/device_policy random:* write_priv_set=sys_devices
And its realised effect as confirmed with getdevpolicy(1M):
$ getdevpolicy /dev/random /dev/urandom
/dev/random
read_priv_set=none
write_priv_set=sys_devices
/dev/urandom
read_priv_set=none
write_priv_set=sys_devices
And the privilege check in effect within a zone:
root@testing:~# ppriv -D -e dd if=/dev/zero of=/dev/random bs=32 count=1 | od -c dd[2433]: missing privilege "sys_devices" (euid = 0, syscall = 225) for "devpolicy" needed at spec_open+0xd5 dd: /dev/random: open: Permission denied