# AppArmor profile for rngd entropy generator daemon
# Version of rngd (rng-tools) profiled: 6.16
# Homepage: https://github.com/krathalan/apparmor-profiles
# Copyright 2019-2024 (C) krathalan; Licensed under GPLv3

abi <abi/3.0>,
include <tunables/global>

profile rngd /usr/bin/rngd {
  include if exists <local/rngd>
  include <abstractions/base>
  network unix stream,

  # Kind of dangerous; sys_admin is a huge capability
  capability sys_admin,

  # System access
  owner /dev/ r,
  owner /dev/random rw,
  owner /sys/bus/ r,
  owner /sys/class/ r,
  owner @{PROC}/sys/kernel/random/* rw,

  # Hardware RNGs
  owner /dev/hwrng r,
  owner /sys/devices/virtual/misc/hw_random/rng_available r,

  # Config file
  owner /etc/conf.d/rngd r,
  
  # Jitter support
  network netlink raw,
  /etc/ssl/openssl.cnf r,
  # Jitter seems to work without this
  deny capability net_admin,

  # Seems to be necessary for rtlsdr/smart cards,
  # I don't have any so I can't test this
  deny /dev/bus/usb/ r,
  deny /sys/bus/usb/devices/ r,
}
