Make /proc/sys/kernel/random available to everyone

Similar to the way we handle /dev/random and /dev/urandom, make /proc/sys/kernel/random available to everyone. hostname:/proc/sys/kernel/random # ls -laZ total 0 dr-xr-xr-x 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 . dr-xr-xr-x 1 root root u:object_r:proc:s0 0 2017-11-20 18:32 .. -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 boot_id -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 entropy_avail -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 poolsize -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 read_wakeup_threshold -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 urandom_min_reseed_secs -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 uuid -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 write_wakeup_threshold boot_id (unique random number per boot) is commonly used by applications, as is "uuid". As these are random numbers, no sensitive data is leaked. The other files are useful to allow processes to understand the state of the entropy pool, and should be fairly benign. Addresses the following denial: type=1400 audit(0.0:207): avc: denied { read } for name="boot_id" dev="proc" ino=76194 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 69294418 Test: policy compiles. Change-Id: Ieeca1c654ec755123e19b4693555990325bd58cf

Make /proc/sys/kernel/random available to everyone
9d9c370f · Nick Kralevich · d4785c37 · 9d9c370f · 9d9c370f
Commit 9d9c370f authored 7 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -77,6 +77,8 @@ allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_devic
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
 allow domain properties_device:dir { search getattr };
 allow domain properties_serial:file r_file_perms;


--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,9 +38,8 @@ allow update_engine_common shell_exec:file rx_file_perms;
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };

-# access /proc/cmdline and /proc/sys/kernel/random/
+# access /proc/cmdline
 allow update_engine_common proc_cmdline:file r_file_perms;
-r_dir_file(update_engine_common, proc_random)

 # Read files in /sys/firmware/devicetree/base/firmware/android/
 r_dir_file(update_engine_common, sysfs_dt_firmware_android)