Project

General

Profile

Actions

Bug #13120

closed

harden random pool for zones

Added by Joshua M. Clulow about 1 year ago. Updated 12 months ago.

Status:
Rejected
Priority:
Normal
Category:
kernel
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Writing to /dev/random or /dev/urandom adds data to the entropy pool used to generate subsequent random numbers. This pool is presently a global resource, shared by all zones on the machine and with the global zone. In order to avoid even the possibility that one zone could impact the randomness observed by other zones, we should discard writes to these devices in non-global zones.

A follow-up change could choose to virtualise this resource on a per-zone basis. One might look first at swrand_seed_random() and srndpool for where to begin.

Actions #1

Updated by Joshua M. Clulow about 1 year ago

Note that this has been in SmartOS since 2016 with no apparent ill effect, as OS-5576 and integrated as 0fabc2be10a12b10f37299c4442814af0d668b7f in illumos-joyent.

Actions #2

Updated by Electric Monk about 1 year ago

  • Gerrit CR set to 910
Actions #3

Updated by Joshua M. Clulow 12 months ago

While investigating this further, I discovered that it is already not possible to even open the /dev/*random devices for write inside a zone, let alone write to them. The device policy mechanism already prevents this access.

In the package manifests, we see:

$ ag 'driver name=random' pkg/manifests/
pkg/manifests/system-kernel.mf
250:driver name=random perms="* 0644 root sys" policy=write_priv_set=sys_devices

As seen in the device policy file:

$ grep random /etc/security/device_policy
random:*        write_priv_set=sys_devices

And its realised effect as confirmed with getdevpolicy(1M):

$ getdevpolicy /dev/random /dev/urandom
/dev/random
        read_priv_set=none
        write_priv_set=sys_devices
/dev/urandom
        read_priv_set=none
        write_priv_set=sys_devices

And the privilege check in effect within a zone:

root@testing:~# ppriv -D -e dd if=/dev/zero of=/dev/random bs=32 count=1 | od -c
dd[2433]: missing privilege "sys_devices" (euid = 0, syscall = 225) for "devpolicy" needed at spec_open+0xd5
dd: /dev/random: open: Permission denied
Actions #4

Updated by Joshua M. Clulow 12 months ago

  • Status changed from New to Rejected
Actions

Also available in: Atom PDF