mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-02-11 04:26:38 +00:00
9f86c7a221
The crosvm TPM process calls ssleay_rand_bytes(), which in some cases
attempts to acquire entropy through an EGD ("entropy gathering daemon")
- see OpenSSL's RAND_query_egd_bytes(). Attempting to communicate with
this daemon by creating a socket would cause the process to exit
currently because the syscall whitelist did not allow socket() or
connect().
Since we don't have an EGD and don't want to expose it to the sandboxed
TPM process anyway, modify the TPM seccomp policy to cause socket() to
return an error rather than aborting.
BUG=None
TEST=`vmc start --software-tpm termina`
Change-Id: Ib7c6bceced0f6cbe7199614ece8446aa300cec1e
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1684411
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
|
||
|---|---|---|
| .. | ||
| 9p_device.policy | ||
| balloon_device.policy | ||
| block_device.policy | ||
| common_device.policy | ||
| cras_audio_device.policy | ||
| input_device.policy | ||
| net_device.policy | ||
| null_audio_device.policy | ||
| pmem_device.policy | ||
| rng_device.policy | ||
| tpm_device.policy | ||
| vhost_net_device.policy | ||
| vhost_vsock_device.policy | ||
| wl_device.policy | ||
| xhci.policy | ||