1# PRNG seeder daemon 2# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from 3# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its 4# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a 5# fixed size block of entropy then disconnect. No other IO is performed. 6typeattribute prng_seeder coredomain; 7 8# mlstrustedsubject required in order to allow connections from trusted app domains. 9typeattribute prng_seeder mlstrustedsubject; 10 11type prng_seeder_exec, system_file_type, exec_type, file_type; 12init_daemon_domain(prng_seeder) 13 14# Socket open and listen are performed by init. 15allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept }; 16allow prng_seeder hw_random_device:chr_file { read open }; 17allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl }; 18