From 8d688315aeb053eadc2606badbe4ce52899bb694 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 3 Oct 2013 13:35:56 -0700
Subject: [PATCH] Restrict access to /dev/hw_random to system_server and init.

/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.

Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
---
 device.te        | 1 +
 domain.te        | 3 +++
 file_contexts    | 1 +
 system_server.te | 3 +++
 4 files changed, 8 insertions(+)

diff --git a/device.te b/device.te
index 8882d9935..508c0ebff 100644
--- a/device.te
+++ b/device.te
@@ -17,6 +17,7 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type full_device, dev_type;
 type graphics_device, dev_type;
+type hw_random_device, dev_type;
 type input_device, dev_type;
 type kmem_device, dev_type;
 type log_device, dev_type, mlstrustedobject;
diff --git a/domain.te b/domain.te
index 12aa89888..bfe8a9cc5 100644
--- a/domain.te
+++ b/domain.te
@@ -139,5 +139,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;
 
+# Only init and system_server should be able to access HW RNG
+neverallow { domain -init -system_server -unconfineddomain } hw_random_device:chr_file *;
+
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
diff --git a/file_contexts b/file_contexts
index c4c4a094e..dfdb43943 100644
--- a/file_contexts
+++ b/file_contexts
@@ -48,6 +48,7 @@
 /dev/full		u:object_r:full_device:s0
 /dev/fuse		u:object_r:fuse_device:s0
 /dev/graphics(/.*)?	u:object_r:graphics_device:s0
+/dev/hw_random		u:object_r:hw_random_device:s0
 /dev/input(/.*)		u:object_r:input_device:s0
 /dev/iio:device[0-9]+   u:object_r:iio_device:s0
 /dev/ion		u:object_r:ion_device:s0
diff --git a/system_server.te b/system_server.te
index 35df21c66..6e1acd3b1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -33,6 +33,9 @@ allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
 
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
 allow system_server backup_data_file:dir relabelto;
 allow system_server cache_backup_file:dir relabelto;
 allow system_server anr_data_file:dir relabelto;
-- 
GitLab