Make /proc/sys/kernel/random available to everyone
Similar to the way we handle /dev/random and /dev/urandom, make
/proc/sys/kernel/random available to everyone.
hostname:/proc/sys/kernel/random # ls -laZ
total 0
dr-xr-xr-x 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 .
dr-xr-xr-x 1 root root u:object_r:proc:s0 0 2017-11-20 18:32 ..
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 boot_id
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 entropy_avail
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 poolsize
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 read_wakeup_threshold
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 urandom_min_reseed_secs
-r--r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 uuid
-rw-r--r-- 1 root root u:object_r:proc_random:s0 0 2017-11-20 19:02 write_wakeup_threshold
boot_id (unique random number per boot) is commonly used by
applications, as is "uuid". As these are random numbers, no sensitive
data is leaked. The other files are useful to allow processes to
understand the state of the entropy pool, and should be fairly benign.
Addresses the following denial:
type=1400 audit(0.0:207): avc: denied { read } for name="boot_id"
dev="proc" ino=76194 scontext=u:r:untrusted_app_25:s0:c512,c768
tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 69294418
Test: policy compiles.
Change-Id: Ieeca1c654ec755123e19b4693555990325bd58cf
2 files changed