-
Jamie Strandboge authored
/run/uuidd/request is hardcoded in libuuid from util-linux and uuidd listens on this socket to provide random and time-based UUIDs in a secure manner (man 8 uuidd). Some applications (eg, python's uuid) prefer to use this socket, falling back to getrandom(), /dev/urandom, etc. Eg: $ strace -f aa-exec -p test -- \ python3 -c 'import uuid ; print("%s\n" % str(uuid.uuid1()))' ... socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = -1 EACCES (Permission denied) getrandom("\x8e\x89\xa5\xe7\x39\x1b", 6, GRND_NONBLOCK) = 6 ... uuidd itself produces random numbers using getrandom() and /dev/{,u}random (falling back to time-based if not), which are already allowed in the base abstraction. The uuidd daemon, when available, runs unprivileged under a dedicated user, so allowing read-only access to /run/uuidd/request is reasonable.
45fffc12