Remove all module_request rules

Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked.  Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary.  Their presence or absence makes no difference.

Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57

private/fsverity_init.te

@@ -14,8 +14,3 @@ allow fsverity_init fsverity_init:key { view search write };
 # Read the on-device signing certificate, to be able to add it to the keyring
 allow fsverity_init odsign:fd use;
 allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;

private/system_server.te

@@ -147,9 +147,6 @@ allow system_server self:global_capability_class_set {
     sys_tty_config
 };
 
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
 # Allow alarmtimers to be set
 allow system_server self:global_capability2_class_set wake_alarm;
 

public/dnsmasq.te

@@ -23,6 +23,3 @@ allow dnsmasq netd:netlink_route_socket { read write };
 allow dnsmasq netd:unix_stream_socket { getattr read write };
 allow dnsmasq netd:unix_dgram_socket { read write };
 allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;

public/fastbootd.te

@@ -87,7 +87,6 @@ recovery_only(`
     allow fastbootd cache_file:dir search;
     allow fastbootd proc_filesystems:file { getattr open read };
     allow fastbootd self:capability sys_rawio;
-    dontaudit fastbootd kernel:system module_request;
     allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
     allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
     allow fastbootd {

public/hal_telephony.te

@@ -8,7 +8,6 @@ hal_attribute_service(hal_telephony, hal_radio_service)
 allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
 
 allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
 allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
 allow hal_telephony_server cgroup:dir create_dir_perms;
 allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;

public/hal_wifi_supplicant.te

@@ -11,7 +11,6 @@ allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
 r_dir_file(hal_wifi_supplicant, sysfs_type)
 r_dir_file(hal_wifi_supplicant, proc_net_type)
 
-allow hal_wifi_supplicant kernel:system module_request;
 allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
 allow hal_wifi_supplicant cgroup:dir create_dir_perms;
 allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;

public/netd.te

@@ -185,6 +185,4 @@ dontaudit netd self:capability sys_admin;
 # (things it requires should be built directly into the kernel)
 dontaudit netd self:capability sys_module;
 
-dontaudit netd kernel:system module_request;
-
 dontaudit netd appdomain:unix_stream_socket { read write };

public/racoon.te

@@ -13,7 +13,6 @@ allow racoon tun_device:chr_file r_file_perms;
 allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
 allow racoon cgroup:dir { add_name create };
 allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
 
 allow racoon self:key_socket create_socket_perms_no_ioctl;
 allow racoon self:tun_socket create_socket_perms_no_ioctl;

public/update_engine.te

@@ -29,9 +29,6 @@ allow update_engine update_engine_data_file:file create_file_perms;
 allow update_engine update_engine_log_data_file:dir create_dir_perms;
 allow update_engine update_engine_log_data_file:file create_file_perms;
 
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
 # Register the service to perform Binder IPC.
 binder_use(update_engine)
 add_service(update_engine, update_engine_service)