Restrict access to /dev/hw_random to system_server and init.
/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.
Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
diff --git a/system_server.te b/system_server.te
index 35df21c..6e1acd3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -33,6 +33,9 @@
allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
allow system_server backup_data_file:dir relabelto;
allow system_server cache_backup_file:dir relabelto;
allow system_server anr_data_file:dir relabelto;