Bug #13120
closedharden random pool for zones
0%
Description
Writing to /dev/random
or /dev/urandom
adds data to the entropy pool used to generate subsequent random numbers. This pool is presently a global resource, shared by all zones on the machine and with the global zone. In order to avoid even the possibility that one zone could impact the randomness observed by other zones, we should discard writes to these devices in non-global zones.
A follow-up change could choose to virtualise this resource on a per-zone basis. One might look first at swrand_seed_random()
and srndpool
for where to begin.
Updated by Joshua M. Clulow over 1 year ago
Note that this has been in SmartOS since 2016 with no apparent ill effect, as OS-5576 and integrated as 0fabc2be10a12b10f37299c4442814af0d668b7f in illumos-joyent.
Updated by Joshua M. Clulow over 1 year ago
While investigating this further, I discovered that it is already not possible to even open the /dev/*random
devices for write inside a zone, let alone write to them. The device policy mechanism already prevents this access.
In the package manifests, we see:
$ ag 'driver name=random' pkg/manifests/ pkg/manifests/system-kernel.mf 250:driver name=random perms="* 0644 root sys" policy=write_priv_set=sys_devices
As seen in the device policy file:
$ grep random /etc/security/device_policy random:* write_priv_set=sys_devices
And its realised effect as confirmed with getdevpolicy(1M)
:
$ getdevpolicy /dev/random /dev/urandom /dev/random read_priv_set=none write_priv_set=sys_devices /dev/urandom read_priv_set=none write_priv_set=sys_devices
And the privilege check in effect within a zone:
root@testing:~# ppriv -D -e dd if=/dev/zero of=/dev/random bs=32 count=1 | od -c dd[2433]: missing privilege "sys_devices" (euid = 0, syscall = 225) for "devpolicy" needed at spec_open+0xd5 dd: /dev/random: open: Permission denied