Pull up following revision(s) (requested by riastradh in ticket #1053):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.36 Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2). securelevel=1 is supposed to be a reasonable default for normal computers. This got in the way of ever getting entropy from a seed on a machine with no HWRNG -- e.g., from another machine, or by making the executive decision that what has been sampled is good enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
This commit is contained in:
parent
e2b5a64e83
commit
7d08a0843a
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $ */
|
/* $NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $ */
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
|
@ -35,7 +35,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32 2018/07/15 05:16:45 maxv Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.32.4.1 2020/08/17 11:27:33 martin Exp $");
|
||||||
|
|
||||||
#ifdef _KERNEL_OPT
|
#ifdef _KERNEL_OPT
|
||||||
#include "opt_insecure.h"
|
#include "opt_insecure.h"
|
||||||
|
@ -596,7 +596,7 @@ secmodel_securelevel_device_cb(kauth_cred_t cred, kauth_action_t action,
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
|
case KAUTH_DEVICE_RND_ADDDATA_ESTIMATE:
|
||||||
if (securelevel > 0)
|
if (securelevel > 1)
|
||||||
result = KAUTH_RESULT_DENY;
|
result = KAUTH_RESULT_DENY;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue