Allow access to /proc/sys/kernel/random/entropy_avail

We have a software that depends on reading /proc/sys/kernel/random/entropy_avail, however it seems that there is no interface in snapd that allows access to that file.

I guess it would make sense to have access to that path through an interface

Wonder which or even if an interface would be the right fit here.

Reading /dev/{u,}random is allowed in the base abstraction, while out base template extends that to allow writing. In theory you could already drain the the kernel of available entropy with the permissions we grant. I suppose extending the base template to allow checking how much entropy is available does not change much at this point. Perhaps @alexmurray has some thoughts on this.

1 Like

I don’t have any objection to adding this to the base abstraction - as @mborzecki whether you can check how much remains or not doesn’t have a security impact.

1 Like

thanks a lot! much appreciated;)

fwiw, this is a network server that uses a crypto lib that must have at least 64 octets entropy, otherwise it will just block and wait. we’re proactively monitoring entropy avail and hint the user at “install rng-tools”.

A PR is up now:

1 Like

Hi there, a follow-up note on other similar files. We’d like to use haveged in our image and it needs read access to the files /proc/sys/kernel/random/poolsize and /proc/sys/kernel/random/write_wakeup_threshold. Can it be approved with a PR? :slight_smile: