Merge "Remove all module_request rules" into main
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 2e5089c..a3765ec 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -14,8 +14,3 @@
# Read the on-device signing certificate, to be able to add it to the keyring
allow fsverity_init odsign:fd use;
allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/private/system_server.te b/private/system_server.te
index 452f4bb..136db38 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -147,9 +147,6 @@
sys_tty_config
};
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
# Allow alarmtimers to be set
allow system_server self:global_capability2_class_set wake_alarm;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index 86f1eb1..d189c89 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -23,6 +23,3 @@
allow dnsmasq netd:unix_stream_socket { getattr read write };
allow dnsmasq netd:unix_dgram_socket { read write };
allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 8452b97..788a76f 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -87,7 +87,6 @@
allow fastbootd cache_file:dir search;
allow fastbootd proc_filesystems:file { getattr open read };
allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
allow fastbootd {
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index e21796a..306d459 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -8,7 +8,6 @@
allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index b531a22..498469d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -11,7 +11,6 @@
r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net_type)
-allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
diff --git a/public/netd.te b/public/netd.te
index a5c27f9..41ae9ec 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -185,6 +185,4 @@
# (things it requires should be built directly into the kernel)
dontaudit netd self:capability sys_module;
-dontaudit netd kernel:system module_request;
-
dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..00d10a4 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -13,7 +13,6 @@
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..f879013 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -29,9 +29,6 @@
allow update_engine update_engine_log_data_file:dir create_dir_perms;
allow update_engine update_engine_log_data_file:file create_file_perms;
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)