Hello. I would like to know if grsecurity would be interested in adding a patch for erandom and sysctl urandom. Frandom is basically like urandom but it only seeds itself once each time it is opened.. erandom is seeded off the state of frandom and so erandom uses no kernel entropy no matter how much it is used. Frandom is especially usefull for wiping discs, or whenever you need huge amounts of random bytes. Erandom is especially usefull for anything non-crypto, like mktemp(), and propolice. Sysctl interfaces make these devices available through chroot. This is very similar to the behaviour NetBSD has for arandom and erandom. I also have patches for glibc and uclibc so mktemp() and propolice use these devices and interfaces. It is very little to maintain. I have been maintaining this kernel patch since 2.4.24 and the modifications needed to maintain it to 2.6.11 have been very simple. The url for the 2.6 patch is here:
http://www.linuxfromscratch.org/patches ... om-1.patch
There is a small patch for the kernel headers too, which is easy to make by looking at the linux/sysctl.h diff in this patch.
The libc patches are here:
http://www.linuxfromscratch.org/patches ... om-1.patch
http://www.linuxfromscratch.org/patches ... om-2.patch
OpenSSL patch to match the libc patch:
http://www.linuxfromscratch.org/patches ... om-1.patch
These libc patches use erandom/urandom via the arc4random() and arc4randomII() functions, which are supported by openssh, openntpd, and others. arc4random() is used in addition in case the random driver should crash, arc4random() will still provide unpredictable results using gettimeofday() + arcfour.
So basically, I'm just trying to say that there is a variety of ways to use this kernel patch, should grsecurity choose to accept it.
regards
robert
