From 85c0f8affa4d3aa3c50331e272327e360eb8bed9 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 11 Mar 2016 15:23:49 -0800
Subject: [PATCH] Create sysfs_hwrandom type.

HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs.  Give these files their own label and
allow the needed read access.

Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
---
 file.te          | 1 +
 file_contexts    | 1 +
 ueventd.te       | 1 +
 untrusted_app.te | 4 ++++
 4 files changed, 7 insertions(+)

diff --git a/file.te b/file.te
index 6f32aeb50..7a46b4f5c 100644
--- a/file.te
+++ b/file.te
@@ -25,6 +25,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
 type sysfs_mac_address, fs_type, sysfs_type;
diff --git a/file_contexts b/file_contexts
index a3cebbf47..573955614 100644
--- a/file_contexts
+++ b/file_contexts
@@ -356,6 +356,7 @@
 /sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/devices/virtual/block/zram\d+(/.*)?     u:object_r:sysfs_zram:s0
 /sys/devices/virtual/block/zram\d+/uevent    u:object_r:sysfs_zram_uevent:s0
+/sys/devices/virtual/misc/hw_random(/.*)?    u:object_r:sysfs_hwrandom:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
 /sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a56..fb7266319 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -14,6 +14,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_hwrandom:file w_file_perms;
 allow ueventd sysfs_zram_uevent:file w_file_perms;
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
diff --git a/untrusted_app.te b/untrusted_app.te
index 4ec7b6c69..34e592981 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -102,6 +102,10 @@ allow untrusted_app proc:file r_file_perms;
 # access /proc/net/xt_qtguid/stats
 r_dir_file(untrusted_app, proc_net)
 
+# Cts: HwRngTest
+allow untrusted_app sysfs_hwrandom:dir search;
+allow untrusted_app sysfs_hwrandom:file r_file_perms;
+
 ###
 ### neverallow rules
 ###