From 9d9c370f31556c33f62e7889f64ad3a2728f1863 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 20 Nov 2017 11:02:03 -0800
Subject: [PATCH] Make /proc/sys/kernel/random available to everyone

Similar to the way we handle /dev/random and /dev/urandom, make
/proc/sys/kernel/random available to everyone.

  hostname:/proc/sys/kernel/random # ls -laZ
  total 0
  dr-xr-xr-x 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 .
  dr-xr-xr-x 1 root root u:object_r:proc:s0        0 2017-11-20 18:32 ..
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 boot_id
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 entropy_avail
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 poolsize
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 read_wakeup_threshold
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 urandom_min_reseed_secs
  -r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 uuid
  -rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 write_wakeup_threshold

boot_id (unique random number per boot) is commonly used by
applications, as is "uuid". As these are random numbers, no sensitive
data is leaked. The other files are useful to allow processes to
understand the state of the entropy pool, and should be fairly benign.

Addresses the following denial:

  type=1400 audit(0.0:207): avc: denied { read } for name="boot_id"
  dev="proc" ino=76194 scontext=u:r:untrusted_app_25:s0:c512,c768
  tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 69294418
Test: policy compiles.
Change-Id: Ieeca1c654ec755123e19b4693555990325bd58cf
---
 public/domain.te               | 2 ++
 public/update_engine_common.te | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index ab1684980..7c53d0c37 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -77,6 +77,8 @@ allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_devic
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
 allow domain properties_device:dir { search getattr };
 allow domain properties_serial:file r_file_perms;
 
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e27590054..eb4cdc194 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,9 +38,8 @@ allow update_engine_common shell_exec:file rx_file_perms;
 # Allow update_engine_common to suspend, resume and kill the postinstall program.
 allow update_engine_common postinstall:process { signal sigstop sigkill };
 
-# access /proc/cmdline and /proc/sys/kernel/random/
+# access /proc/cmdline
 allow update_engine_common proc_cmdline:file r_file_perms;
-r_dir_file(update_engine_common, proc_random)
 
 # Read files in /sys/firmware/devicetree/base/firmware/android/
 r_dir_file(update_engine_common, sysfs_dt_firmware_android)
-- 
GitLab