Are macports builds prevented from accessing /dev/random ?

Joshua Root jmr at macports.org
Wed Jun 14 13:16:02 UTC 2017


On 2017-6-14 10:07 , Michael wrote:
> 
> On 2017-06-13, at 4:20 PM, Joshua Root <jmr at macports.org> wrote:
> 
>> On 2017-6-14 08:18 , Christopher Jones wrote:
>>> Had a look into this. The ROOT source never explicitly opens /dev/random in read/write mode. Only read only.
>>> However, it also uses a number of external library calls, like std::rand(), and my best bet is one of these is doing it. As writing to /dev/random is allowed, to update the entropy pool, I don’t think this in itself is an issue.
>>> So is it OK to add /dev/random to the allowed locations for the sandbox ?
>>
>> Yes, that would be fine.
>>
>> I had a look at the xnu source by the way, and writing to /dev/random on Darwin is indeed equivalent to writing to /dev/null; the kernel doesn't use the written data in any way.
>>
>> - Josh
> 
> Odd. The manual states: "To add entropy to the random generation system, open /dev/random for writing and write data that you believe to be somehow random."
> 
> In the past, on linux systems, I would have a shutdown script that pulled 512 bytes out of /dev/random, and saved it in a file; on restart, it would be put back into /dev/random. But that was when it was actually possible to modify /etc/rc and run stuff at startup.
> 
> So in Xnu, how do you ensure random data in the entropy pool? How do you seed the random numbers so that there's some ... randomness?
> 
> (rc.local is way too late to adjust system startup. And launchd/init wants to have some sort of hard-coded startup functions that you can't alter).

Best I can tell, the entropy pool gets 16 random bytes obtained in a 
hardware-specific manner very early in the boot process.

- Josh


More information about the macports-dev mailing list