[ALPS03982747] Remove unused sepolicy rules

Some rules is no need any more, need to remove it.

Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae
CR-Id: ALPS03982747
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK

14 files changed, 6 insertions, 87 deletions

diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te
index dbf639e..1ba4f0a 100755
--- a/prebuilts/api/26.0/plat_private/aee_aed.te
+++ b/prebuilts/api/26.0/plat_private/aee_aed.te
@@ -17,8 +17,6 @@ init_daemon_domain(aee_aed)
 # AED start: /dev/block/expdb
 allow aee_aed block_device:dir search;
 
-#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow
-
 # aee db dir and db files
 allow aee_aed sdcard_type:dir create_dir_perms;
 allow aee_aed sdcard_type:file create_file_perms;
@@ -40,7 +38,6 @@ allow aee_aed usermodehelper:file r_file_perms;
 allow aee_aed init:unix_stream_socket connectto;
 allow aee_aed property_socket:sock_file write;
 
-#allow aee_aed call binaries labeled "system_file" under /system/bin/
 allow aee_aed system_file:file execute_no_trans;
 
 allow aee_aed init:process getsched;
@@ -90,7 +87,7 @@ allow aee_aed tombstone_data_file:dir w_dir_perms;
 allow aee_aed tombstone_data_file:file create_file_perms;
 
 # /proc/pid/
-#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
+allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
 
 # system(cmd) aee_dumpstate aee_archive
 allow aee_aed shell_exec:file rx_file_perms;
@@ -127,9 +124,3 @@ allow aee_aed init_exec:file r_file_perms;
 # Purpose : make aee_aed can get notify from crash_dump
 allow aee_aed crash_dump:dir search;
 allow aee_aed crash_dump:file r_file_perms;
-
-# Purpose:
-# [  217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
-# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
-# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-#allow aee_aed sysfs:file r_file_perms;
diff --git a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te
index 19f37e1..d907260 100755
--- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te
+++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te
@@ -14,13 +14,11 @@ init_daemon_domain(audiocmdservice_atci)
 # Perform Binder IPC for audio tuning tool and access to mediaserver
 binder_use(audiocmdservice_atci)
 binder_call(audiocmdservice_atci, mediaserver)
-#allow audiocmdservice_atci mediaserver:chr_file create_file_perms;
 allow audiocmdservice_atci mediaserver:dir w_dir_perms;
 allow audiocmdservice_atci mediaserver_service:service_manager find;
 
 # Since Android N, google separates mediaserver to audioserver and cameraserver
 binder_call(audiocmdservice_atci, audioserver)
-#allow audiocmdservice_atci audioserver:chr_file create_file_perms;
 allow audiocmdservice_atci audioserver:dir w_dir_perms;
 allow audiocmdservice_atci audioserver_service:service_manager find;
 
@@ -49,4 +47,3 @@ allow radio audiocmdservice_atci_exec:file getattr;
 #Android O porting
 hwbinder_use(audiocmdservice_atci)
 get_prop(audiocmdservice_atci, hwservicemanager_prop);
-#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
diff --git a/prebuilts/api/26.0/plat_private/boot_logo_updater.te b/prebuilts/api/26.0/plat_private/boot_logo_updater.te
index 52c38f0..a55a3ca 100755
--- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te
+++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te
@@ -21,9 +21,6 @@ allow boot_logo_updater graphics_device:chr_file rw_file_perms;
 # For IPC communication
 allow boot_logo_updater init:unix_stream_socket connectto;
 allow boot_logo_updater property_socket:sock_file write;
-#allow boot_logo_updater self:capability dac_override;
-# To access some boot_mode infornation
-#allow boot_logo_updater sysfs:file rw_file_perms;
 # To access directory /dev/block/mmcblk0 or /dev/block/sdc
 allow boot_logo_updater block_device:dir search;
 allow boot_logo_updater graphics_device:dir search;
diff --git a/prebuilts/api/26.0/plat_private/bootanim.te b/prebuilts/api/26.0/plat_private/bootanim.te
index edad4f0..a7c07a1 100755
--- a/prebuilts/api/26.0/plat_private/bootanim.te
+++ b/prebuilts/api/26.0/plat_private/bootanim.te
@@ -2,12 +2,6 @@
 # MTK Policy Rule
 # ============
 
-# Date : WK14.31
-# Operation : Migration
-# Purpose : For IPC communication
-### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
-#allow bootanim self:netlink_socket create_socket_perms;
-
 # Date : WK14.32
 # Operation : Migration
 # Purpose : for playing boot tone
@@ -40,11 +34,3 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms;
 # Purpose : DRM / DRI GPU driver required
 
 allow bootanim gpu_device:dir search;
-
-
-
-#============= bootanim ==============
-#allow bootanim debugfs_tracing:file write;
-
-#============= bootanim ==============
-#allow bootanim debugfs_tracing:file open;
diff --git a/prebuilts/api/26.0/plat_private/cmddumper.te b/prebuilts/api/26.0/plat_private/cmddumper.te
index 7ae391a..405bebe 100755
--- a/prebuilts/api/26.0/plat_private/cmddumper.te
+++ b/prebuilts/api/26.0/plat_private/cmddumper.te
@@ -31,11 +31,6 @@ allow cmddumper system_file:file x_file_perms;
 allow cmddumper media_rw_data_file:file  { create_file_perms };
 allow cmddumper media_rw_data_file:dir { create_dir_perms };
 
-# purpose: access vmodem device
-#allow cmddumper vmodem_device:chr_file { create_file_perms };
-
 # purpose: access plat_file_contexts
 allow cmddumper file_contexts_file:file { read getattr open };
 
-# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
-#allow cmddumper sysfs:file { read open };
\ No newline at end of file
diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te
index ed42b5d..a061bfa 100755
--- a/prebuilts/api/26.0/plat_private/em_svr.te
+++ b/prebuilts/api/26.0/plat_private/em_svr.te
@@ -48,7 +48,7 @@ allow em_svr sysfs_leds:dir search;
 
 # Date: WK1812
 # Purpose: add for sensor calibration
-#allow em_svr self:capability { dac_read_search dac_override chown fsetid };
+allow em_svr self:capability { chown fsetid };
 
 # Date: WK1812
 # Purpose: add for shell cmd
@@ -60,23 +60,4 @@ allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans };
 
 # Date: WK1812
 # Purpose: sys file access
-#allow em_svr sysfs:file { getattr read write open };
 allow em_svr sysfs:dir { open read };
-
-# Date: WK1812
-# Purpose: proc file access
-#allow em_svr proc:file { getattr open read write };
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/prebuilts/api/26.0/plat_private/emdlogger.te b/prebuilts/api/26.0/plat_private/emdlogger.te
index 92facb8..c73c775 100755
--- a/prebuilts/api/26.0/plat_private/emdlogger.te
+++ b/prebuilts/api/26.0/plat_private/emdlogger.te
@@ -47,10 +47,6 @@ allow emdlogger storage_file:dir { create_dir_perms };
 allow emdlogger tmpfs:lnk_file read;
 allow emdlogger storage_file:file { create_file_perms };
 
-#permission for read boot mode
-#avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-#allow emdlogger sysfs:file { read open };
-
 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
 allow emdlogger system_file:dir read;
diff --git a/prebuilts/api/26.0/plat_private/fuelgauged_static.te b/prebuilts/api/26.0/plat_private/fuelgauged_static.te
index fdbf7c1..19e1f2a 100755
--- a/prebuilts/api/26.0/plat_private/fuelgauged_static.te
+++ b/prebuilts/api/26.0/plat_private/fuelgauged_static.te
@@ -27,13 +27,6 @@ init_daemon_domain(fuelgauged_static)
 allow fuelgauged_static input_device:dir rw_dir_perms;
 allow fuelgauged_static input_device:file r_file_perms;
 
-
-# Data : WK14.43
-# Operation : Migration
-# Purpose : For fg daemon can comminucate with kernel
-### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
-#allow fuelgauged_static fuelgauged_static:netlink_kobject_uevent_socket create_socket_perms;
-#allow fuelgauged_static fuelgauged_static:netlink_socket create_socket_perms;
 # Data : WK16.21
 # Operation : New Feature
 # Purpose : For fg daemon can access /data/FG folder
@@ -47,4 +40,4 @@ allow fuelgauged_static system_data_file:dir rw_dir_perms;
 allow fuelgauged_static rootfs:file entrypoint;
 
 # Data : WK16.39
-#allow fuelgauged_static self:capability { chown fsetid dac_override };
+allow fuelgauged_static self:capability { chown fsetid };
diff --git a/prebuilts/api/26.0/plat_private/mdlogger.te b/prebuilts/api/26.0/plat_private/mdlogger.te
index 7a27110..2e9464e 100755
--- a/prebuilts/api/26.0/plat_private/mdlogger.te
+++ b/prebuilts/api/26.0/plat_private/mdlogger.te
@@ -45,10 +45,6 @@ allow mdlogger storage_file:file { create_file_perms };
 ## purpose: avc: denied { read } for name="plat_file_contexts"
 allow mdlogger file_contexts_file:file { read getattr open };
 
-#permission for read boot mode
-#avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-#allow mdlogger sysfs:file { read open };
-
 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
 allow mdlogger system_file:dir read;
diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te
index edada44..6753ea4 100755
--- a/prebuilts/api/26.0/plat_private/meta_tst.te
+++ b/prebuilts/api/26.0/plat_private/meta_tst.te
@@ -21,13 +21,12 @@ init_daemon_domain(meta_tst)
 #============= meta_tst =========================
 
 allow meta_tst port:tcp_socket { name_connect name_bind };
-#allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin };
+allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin };
 allow meta_tst self:tcp_socket { create connect setopt bind };
 allow meta_tst self:tcp_socket { bind setopt listen accept read write };
 allow meta_tst self:udp_socket { create ioctl };
 allow meta_tst self:capability { sys_boot ipc_lock };
 allow meta_tst sysfs_wake_lock:file rw_file_perms;
-#allow meta_tst sysfs:file write;
 allow meta_tst property_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te
index a2ee26d..aca585f 100755
--- a/prebuilts/api/26.0/plat_private/mobile_log_d.te
+++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te
@@ -22,7 +22,7 @@ set_prop(mobile_log_d, debug_prop)
 unix_socket_connect(mobile_log_d, logdr, logd);
 
 #capability
-#allow mobile_log_d self:capability { setuid setgid chown dac_read_search dac_override fowner fsetid };
+allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
 allow mobile_log_d self:capability { setuid chown setgid };
 allow mobile_log_d self:capability2 syslog;
 
@@ -66,6 +66,5 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;
 
 # access debugfs/tracing/instances/
 allow mobile_log_d debugfs_tracing:dir create_dir_perms;
-#allow mobile_log_d debugfs_tracing:file create_file_perms;
 allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
 allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
diff --git a/prebuilts/api/26.0/plat_private/netdiag.te b/prebuilts/api/26.0/plat_private/netdiag.te
index 2ab7981..75b630f 100755
--- a/prebuilts/api/26.0/plat_private/netdiag.te
+++ b/prebuilts/api/26.0/plat_private/netdiag.te
@@ -59,13 +59,6 @@ allow netdiag netpolicy_service:service_manager find;
 allow netdiag network_management_service:service_manager find;
 allow netdiag settings_service:service_manager find;
 
-
-
-# Purpose : for socket with MTKLogger
-### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
-#allow netdiag self:socket_class_set { create_socket_perms };
-#allow netdiag self:netlink_route_socket { create_socket_perms nlmsg_read };
-
 # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
 allow netdiag device_logging_prop:file { getattr open };
 allow netdiag mmc_prop:file { getattr open };
diff --git a/prebuilts/api/26.0/plat_private/ppp.te b/prebuilts/api/26.0/plat_private/ppp.te
index 5b3376f..99248c7 100755
--- a/prebuilts/api/26.0/plat_private/ppp.te
+++ b/prebuilts/api/26.0/plat_private/ppp.te
@@ -16,9 +16,6 @@ allow ppp property_socket:sock_file write;
 # Purpose: for PPPOE Test 
 
 allow ppp devpts:chr_file { read write ioctl open setattr };
-#allow ppp self:capability { setuid net_raw setgid dac_override };
-### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
-#allow ppp self:packet_socket { write ioctl setopt read bind create };
 allow ppp shell_exec:file { read execute open execute_no_trans };
 
 
diff --git a/prebuilts/api/26.0/plat_private/thermalindicator.te b/prebuilts/api/26.0/plat_private/thermalindicator.te
index 8a9131d..735f3ca 100755
--- a/prebuilts/api/26.0/plat_private/thermalindicator.te
+++ b/prebuilts/api/26.0/plat_private/thermalindicator.te
@@ -31,11 +31,10 @@ allow servicemanager thermalindicator:process { getattr };
 typeattribute thermalindicator mlstrustedsubject;
 
 allow thermalindicator proc:dir           {search getattr};
-#allow thermalindicator proc:file          read;
 allow thermalindicator shell:dir          search;
 allow thermalindicator platform_app:dir   search;
 allow thermalindicator platform_app:file  {open read getattr};
 allow thermalindicator untrusted_app:dir  search;
 allow thermalindicator untrusted_app:file {open read getattr};
 allow thermalindicator mediaserver:dir    search;
-allow thermalindicator mediaserver:file   {open read getattr};
\ No newline at end of file
+allow thermalindicator mediaserver:file   {open read getattr};