Restrict access to /dev/hw_random to system_server and init.

/dev/hw_random is accessed only by init and by EntropyMixer (which runs inside system_server). Other domains are denied access because apps/services should be obtaining randomness from the Linux RNG. Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f

Restrict access to /dev/hw_random to system_server and init.
8d688315 · Alex Klyubin · 109f9e62 · 8d688315 · 8d688315 · 8d688315
Commit 8d688315 authored 11 years ago by Alex Klyubin
--- a/device.te
+++ b/device.te
@@ -17,6 +17,7 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
+type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
 type log_device, dev_type, mlstrustedobject;

--- a/domain.te
+++ b/domain.te
@@ -139,5 +139,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;

+# Only init and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -unconfineddomain } hw_random_device:chr_file *;
+
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
--- a/file_contexts
+++ b/file_contexts
@@ -48,6 +48,7 @@
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/hw_random		u:object_r:hw_random_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0

--- a/system_server.te
+++ b/system_server.te
@@ -33,6 +33,9 @@ allow system_server system_ndebug_socket:sock_file create_file_perms;

 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };

+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
 allow system_server backup_data_file:dir relabelto;
 allow system_server cache_backup_file:dir relabelto;
 allow system_server anr_data_file:dir relabelto;