sepolicy: Remove DebugFS rules
Change-Id: I8661ac793d48de3e3eeb18e3b80e27eb363a8d7b
diff --git a/basic/non_plat/atci_service.te b/basic/non_plat/atci_service.te
index 7a6bbdf..114c3bf 100644
--- a/basic/non_plat/atci_service.te
+++ b/basic/non_plat/atci_service.te
@@ -109,7 +109,6 @@
allow atci_service system_file:dir r_dir_perms;
allow atci_service camera_pipemgr_device:chr_file r_file_perms;
allow atci_service mtk_hal_camera:binder call;
-allow atci_service debugfs_ion:dir search;
allow atci_service sysfs_tpd_setting:file rw_file_perms;
allow atci_service sysfs_vibrator_setting:file rw_file_perms;
allow atci_service sysfs_leds_setting:file rw_file_perms;
diff --git a/basic/non_plat/cameraserver.te b/basic/non_plat/cameraserver.te
index 13b9f55..6d572af 100644
--- a/basic/non_plat/cameraserver.te
+++ b/basic/non_plat/cameraserver.te
@@ -41,10 +41,6 @@
allow cameraserver proc_ged:file rw_file_perms;
allowxperm cameraserver proc_ged:file ioctl proc_ged_ioctls;
-# Date : WK17.25
-# Operation : Migration
-allow cameraserver debugfs_ion:dir search;
-
# Date : WK17.49
# Operation : MT6771 SQC
# Purpose: Allow permgr access
diff --git a/basic/non_plat/crash_dump.te b/basic/non_plat/crash_dump.te
index 5301f87..d8b6a4a 100644
--- a/basic/non_plat/crash_dump.te
+++ b/basic/non_plat/crash_dump.te
@@ -52,7 +52,3 @@
allow crash_dump proc_meminfo:file r_file_perms;
allow crash_dump procfs_blockio:file r_file_perms;
-
-# Purpose: Allow crash_dump to create/write /sys/kernel/tracing/slog
-allow crash_dump debugfs_tracing_instances:dir create_dir_perms;
-allow crash_dump debugfs_tracing_instances:file create_file_perms;
diff --git a/basic/non_plat/dumpstate.te b/basic/non_plat/dumpstate.te
index 1fff2b0..6c12cf9 100644
--- a/basic/non_plat/dumpstate.te
+++ b/basic/non_plat/dumpstate.te
@@ -6,9 +6,6 @@
allow dumpstate aee_dumpsys_data_file:dir w_dir_perms;
allow dumpstate aee_dumpsys_data_file:file create_file_perms;
-# Purpose: debugfs files
-allow dumpstate procfs_blockio:file r_file_perms;
-
# Purpose: /sys/kernel/ccci/md_chn
allow dumpstate sysfs_ccci:dir search;
allow dumpstate sysfs_ccci:file r_file_perms;
@@ -82,7 +79,6 @@
# Date : W19.26
# Operation : Migration
# Purpose : fix google dumpstate avc error in xTS
-allow dumpstate debugfs_mmc:dir search;
allow dumpstate mnt_media_rw_file:dir getattr;
# Date: 19/07/15
@@ -109,14 +105,8 @@
hal_client_domain(dumpstate, hal_light)
-#Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace
-allow dumpstate debugfs_tracing_instances:dir r_dir_perms;
-allow dumpstate debugfs_tracing_instances:file r_file_perms;
-
allow dumpstate proc_ion:dir r_dir_perms;
allow dumpstate proc_ion:file r_file_perms;
allow dumpstate proc_m4u_dbg:dir r_dir_perms;
allow dumpstate proc_m4u_dbg:file r_file_perms;
allow dumpstate proc_mtkfb:file r_file_perms;
-
-allow dumpstate proc_ccci_dump:file r_file_perms;
diff --git a/basic/non_plat/factory.te b/basic/non_plat/factory.te
index 141a103..5735111 100644
--- a/basic/non_plat/factory.te
+++ b/basic/non_plat/factory.te
@@ -288,7 +288,6 @@
allow factory sysfs_power:dir r_dir_perms;
allow factory self:capability2 block_suspend;
allow factory sysfs_vibrator:file rw_file_perms;
-allow factory debugfs_ion:dir search;
allow factory selinuxfs:file r_file_perms;
allow factory sysfs_devices_block:dir r_dir_perms;
allow factory vendor_mtk_factory_start_prop:file read;
diff --git a/basic/non_plat/file.te b/basic/non_plat/file.te
index db224a3..72b59fa 100644
--- a/basic/non_plat/file.te
+++ b/basic/non_plat/file.te
@@ -363,19 +363,6 @@
type sysfs_cm_mgr, fs_type, sysfs_type;
##########################
-# Debug Filesystem types
-#
-
-# display debugfs file
-type debugfs_fb, fs_type, debugfs_type;
-
-# fpsgo debugfs file
-type debugfs_fpsgo, fs_type, debugfs_type;
-
-# memtrack debugfs file
-type debugfs_ion, fs_type, debugfs_type;
-
-##########################
# Other Filesystem types
#
# for labeling /mnt/cd-rom as iso9660
diff --git a/basic/non_plat/genfs_contexts b/basic/non_plat/genfs_contexts
index 6f9eaae..d635537 100644
--- a/basic/non_plat/genfs_contexts
+++ b/basic/non_plat/genfs_contexts
@@ -624,18 +624,6 @@
genfscon sysfs /kernel/cm_mgr u:object_r:sysfs_cm_mgr:s0
##########################
-# debugfs files
-#
-genfscon debugfs /displowpower u:object_r:debugfs_fb:s0
-genfscon debugfs /disp u:object_r:debugfs_fb:s0
-genfscon debugfs /dispsys u:object_r:debugfs_fb:s0
-genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0
-genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0
-genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0
-genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0
-genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0
-
-##########################
# other files
#
genfscon iso9660 / u:object_r:iso9660:s0
diff --git a/basic/non_plat/hal_drm_default.te b/basic/non_plat/hal_drm_default.te
index fd7b4a2..d6f08ff 100644
--- a/basic/non_plat/hal_drm_default.te
+++ b/basic/non_plat/hal_drm_default.te
@@ -4,5 +4,3 @@
vndbinder_use(hal_drm_default)
-allow hal_drm_default debugfs_tracing:file w_file_perms;
-allow hal_drm_default debugfs_ion:dir search;
diff --git a/basic/non_plat/hal_graphics_allocator_default.te b/basic/non_plat/hal_graphics_allocator_default.te
index fef9261..86cb43f 100644
--- a/basic/non_plat/hal_graphics_allocator_default.te
+++ b/basic/non_plat/hal_graphics_allocator_default.te
@@ -4,8 +4,6 @@
allow hal_graphics_allocator_default gpu_device:dir search;
allow hal_graphics_allocator_default sw_sync_device:chr_file rw_file_perms;
-allow hal_graphics_allocator_default debugfs_ion:dir search;
-allow hal_graphics_allocator_default debugfs_tracing:file w_file_perms;
allow hal_graphics_allocator_default proc_ged:file r_file_perms;
allow hal_graphics_allocator_default dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/basic/non_plat/hal_graphics_composer_default.te b/basic/non_plat/hal_graphics_composer_default.te
index 81f304e..6dacaa4 100644
--- a/basic/non_plat/hal_graphics_composer_default.te
+++ b/basic/non_plat/hal_graphics_composer_default.te
@@ -15,8 +15,6 @@
# Purpose: GPU driver required
allow hal_graphics_composer_default gpu_device:dir search;
-allow hal_graphics_composer_default debugfs_ion:dir search;
-allow hal_graphics_composer_default debugfs_tracing:file w_file_perms;
# Date : WK17.30
# Operation : O Migration
diff --git a/basic/non_plat/hal_keymaster_default.te b/basic/non_plat/hal_keymaster_default.te
deleted file mode 100644
index 5174eb7..0000000
--- a/basic/non_plat/hal_keymaster_default.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# ==============================================
-# Common SEPolicy Rule
-# ==============================================
-
-# Date : WK17.30 2017/07/25
-# Operation : keystore
-# Purpose : Fix keystore boot selinux violation
-allow hal_keymaster_default debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/init.te b/basic/non_plat/init.te
index 22ef8a7..847b7bf 100644
--- a/basic/non_plat/init.te
+++ b/basic/non_plat/init.te
@@ -64,9 +64,6 @@
# Purpose: Fix gnss hal service fail
allow init mtk_hal_gnss_exec:file getattr;
-# Fix boot up violation
-allow init debugfs_tracing_instances:file relabelfrom;
-
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
diff --git a/basic/non_plat/mediacodec.te b/basic/non_plat/mediacodec.te
index c733874..d8c78dc 100644
--- a/basic/non_plat/mediacodec.te
+++ b/basic/non_plat/mediacodec.te
@@ -95,7 +95,6 @@
# Date : WK1721
# Purpose: For FULL TREBLE
allow mediacodec system_file:dir r_dir_perms;
-allow mediacodec debugfs_ion:dir search;
# Date : WK17.30
diff --git a/basic/non_plat/mediaswcodec.te b/basic/non_plat/mediaswcodec.te
index d5ed060..6f16deb 100644
--- a/basic/non_plat/mediaswcodec.te
+++ b/basic/non_plat/mediaswcodec.te
@@ -5,7 +5,6 @@
# Date : WK19.25
# Operation : Migration
# Purpose : [ALPS04669482] DRTS failed due to avc denied
-allow mediaswcodec debugfs_ion:dir rw_dir_perms;
allow mediaswcodec gpu_device:dir rw_dir_perms;
allow mediaswcodec gpu_device:chr_file rw_file_perms;
allow mediaswcodec dri_device:chr_file rw_file_perms;
diff --git a/basic/non_plat/merged_hal_service.te b/basic/non_plat/merged_hal_service.te
index d0f003c..f489125 100644
--- a/basic/non_plat/merged_hal_service.te
+++ b/basic/non_plat/merged_hal_service.te
@@ -33,7 +33,6 @@
hal_server_domain(merged_hal_service, hal_graphics_allocator)
allow merged_hal_service gpu_device:dir search;
allow merged_hal_service sw_sync_device:chr_file rw_file_perms;
-allow merged_hal_service debugfs_tracing:file w_file_perms;
#for ape hidl permissions
hal_server_domain(merged_hal_service, hal_mtk_codecservice)
diff --git a/basic/non_plat/meta_tst.te b/basic/non_plat/meta_tst.te
index bdb87cb..a5f96ed 100644
--- a/basic/non_plat/meta_tst.te
+++ b/basic/non_plat/meta_tst.te
@@ -245,7 +245,6 @@
#Date: W17.27
# Purpose: STMicro NFC solution integration
allow meta_tst vendor_file:file rx_file_perms;
-allow meta_tst debugfs_tracing:file w_file_perms;
# Date: W17.29
# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service.
diff --git a/basic/non_plat/mnld.te b/basic/non_plat/mnld.te
index 996dea4..d9fd23b 100644
--- a/basic/non_plat/mnld.te
+++ b/basic/non_plat/mnld.te
@@ -92,7 +92,6 @@
binder_call(mnld, system_server)
allow mnld fwk_sensor_hwservice:hwservice_manager find;
get_prop(mnld, hwservicemanager_prop)
-allow mnld debugfs_tracing:file w_file_perms;
allow mnld mnt_vendor_file:dir search;
diff --git a/basic/non_plat/mtk_hal_audio.te b/basic/non_plat/mtk_hal_audio.te
index d948673..9faf14b 100644
--- a/basic/non_plat/mtk_hal_audio.te
+++ b/basic/non_plat/mtk_hal_audio.te
@@ -177,10 +177,6 @@
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
-# Date : W17.29
-# Boot for opening trace file: Permission denied (13)
-allow mtk_hal_audio debugfs_tracing:file w_file_perms;
-
# Audio Tuning Tool Android O porting
binder_call(mtk_hal_audio, audiocmdservice_atci)
@@ -215,11 +211,6 @@
# Date : WK20.26
allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms;
-# Date : WK20.36
-# Operation : Migration
-# Purpose : AAudio HAL
-allow mtk_hal_audio debugfs_ion:dir search;
-
# Date : 2021/06/15
# Purpose: Allow to change mtk MMQoS scenario
allow mtk_hal_audio sysfs_mtk_mmqos_scen:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_c2.te b/basic/non_plat/mtk_hal_c2.te
index b15e2c9..2665062 100644
--- a/basic/non_plat/mtk_hal_c2.te
+++ b/basic/non_plat/mtk_hal_c2.te
@@ -31,7 +31,6 @@
neverallow mtk_hal_c2 domain:{ tcp_socket udp_socket rawip_socket } *;
#============= mtk_hal_c2 ==============
-allow mtk_hal_c2 debugfs_ion:dir search;
allow mtk_hal_c2 proc_ged:file rw_file_perms;
allowxperm mtk_hal_c2 proc_ged:file ioctl { proc_ged_ioctls };
allow mtk_hal_c2 gpu_device:dir search;
diff --git a/basic/non_plat/mtk_hal_camera.te b/basic/non_plat/mtk_hal_camera.te
index a618509..fb19fff 100644
--- a/basic/non_plat/mtk_hal_camera.te
+++ b/basic/non_plat/mtk_hal_camera.te
@@ -234,10 +234,8 @@
allow mtk_hal_camera proc_ged:file rw_file_perms;
allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls };
-allow mtk_hal_camera debugfs_tracing:file w_file_perms;
## Purpose : camera3 IT/CTS
-allow mtk_hal_camera debugfs_ion:dir search;
allow mtk_hal_camera hal_graphics_composer_default:fd use;
# Date : WK17.30
diff --git a/basic/non_plat/mtk_hal_gpu.te b/basic/non_plat/mtk_hal_gpu.te
index 792430e..c1abd1e 100644
--- a/basic/non_plat/mtk_hal_gpu.te
+++ b/basic/non_plat/mtk_hal_gpu.te
@@ -35,10 +35,7 @@
allow mtk_hal_gpu init:unix_stream_socket connectto;
allow mtk_hal_gpu property_socket:sock_file write;
-allow mtk_hal_gpu debugfs_ged:dir rw_dir_perms;
-allow mtk_hal_gpu debugfs_ged:file rw_file_perms;
allow mtk_hal_gpu proc_ged:file rw_file_perms;
allow mtk_hal_gpu hal_graphics_allocator_default:fd use;
allow mtk_hal_gpu ion_device:chr_file r_file_perms;
-allow mtk_hal_gpu debugfs_ion:dir search;
diff --git a/basic/non_plat/mtk_hal_imsa.te b/basic/non_plat/mtk_hal_imsa.te
index d5bc3e9..45add0b 100644
--- a/basic/non_plat/mtk_hal_imsa.te
+++ b/basic/non_plat/mtk_hal_imsa.te
@@ -25,4 +25,3 @@
# Operation : IMSA sanity
# Purpose : Add permission for IMSA to access radio
allow mtk_hal_imsa radio:binder call;
-allow mtk_hal_imsa debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_keymanage.te b/basic/non_plat/mtk_hal_keymanage.te
index 016b8ec..fb18e25 100644
--- a/basic/non_plat/mtk_hal_keymanage.te
+++ b/basic/non_plat/mtk_hal_keymanage.te
@@ -21,4 +21,3 @@
allow mtk_hal_keymanage key_install_data_file:dir w_dir_perms;
allow mtk_hal_keymanage key_install_data_file:file create_file_perms;
-allow mtk_hal_keymanage debugfs_tracing:file w_file_perms;
diff --git a/basic/non_plat/mtk_hal_mms.te b/basic/non_plat/mtk_hal_mms.te
index 9329eb7..c78d028 100644
--- a/basic/non_plat/mtk_hal_mms.te
+++ b/basic/non_plat/mtk_hal_mms.te
@@ -35,7 +35,6 @@
# Purpose : Allow to use graphics allocator fd for gralloc_extra
allow mtk_hal_mms hal_graphics_allocator_default:fd use;
-allow mtk_hal_mms debugfs_ion:dir search;
allow mtk_hal_mms merged_hal_service:fd use;
# Purpose : VDEC/VENC device node
diff --git a/basic/non_plat/surfaceflinger.te b/basic/non_plat/surfaceflinger.te
index 5abd9c1..dab5375 100644
--- a/basic/non_plat/surfaceflinger.te
+++ b/basic/non_plat/surfaceflinger.te
@@ -21,7 +21,6 @@
# Purpose: Fix bootup fail
allow surfaceflinger proc_bootprof:file r_file_perms;
-allow surfaceflinger debugfs_ion:dir search;
allow surfaceflinger kernel:dir search;
# Date : WK17.30
diff --git a/basic/non_plat/vendor_init.te b/basic/non_plat/vendor_init.te
index fca5cd9..ba82844 100644
--- a/basic/non_plat/vendor_init.te
+++ b/basic/non_plat/vendor_init.te
@@ -70,13 +70,6 @@
set_prop(vendor_init, vendor_mtk_wifi_hal_prop)
set_prop(vendor_init, vendor_mtk_powerhal_prop)
-# mmstat tracer
-allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
-allow vendor_init debugfs_tracing_instances:file w_file_perms;
-
-#boot tracer
-allow vendor_init debugfs_tracing_debug:file w_file_perms;
-
# Set surfaceflinger cpu policy property
set_prop(vendor_init, vendor_mtk_debug_sf_cpupolicy_prop)
diff --git a/basic/non_plat/vpud_native.te b/basic/non_plat/vpud_native.te
index 312437e..457a5ee 100644
--- a/basic/non_plat/vpud_native.te
+++ b/basic/non_plat/vpud_native.te
@@ -33,7 +33,6 @@
hal_client_domain(vpud_native, hal_power)
allow vpud_native mediaserver:fd use;
-allow vpud_native debugfs_ion:dir search;
not_full_treble(`
allow vpud_native shell_exec:file { execute read open execute_no_trans getattr };
diff --git a/basic/plat_private/crash_dump.te b/basic/plat_private/crash_dump.te
index c976e33..91484c3 100644
--- a/basic/plat_private/crash_dump.te
+++ b/basic/plat_private/crash_dump.te
@@ -81,9 +81,6 @@
# Purpose : allow crash_dump to read /proc/version
allow crash_dump proc_version:file r_file_perms;
-# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot
-userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file rw_file_perms;')
-
# Purpose: receive dropbox message
allow crash_dump dropbox_data_file:file { getattr read };
allow crash_dump dropbox_service:service_manager find;
diff --git a/basic/plat_private/dumpstate.te b/basic/plat_private/dumpstate.te
index c882261..8444bea 100644
--- a/basic/plat_private/dumpstate.te
+++ b/basic/plat_private/dumpstate.te
@@ -26,9 +26,6 @@
# u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
hal_client_domain(dumpstate, hal_camera)
-#Purpose: Allow dumpstate to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
-userdebug_or_eng(`allow dumpstate debugfs_tracing_debug:file rw_file_perms;')
-
# Purpose: Allow dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
allow dumpstate sysfs_vibrator:file w_file_perms;
diff --git a/basic/plat_private/init.te b/basic/plat_private/init.te
index fb88f18..89dffbe 100644
--- a/basic/plat_private/init.te
+++ b/basic/plat_private/init.te
@@ -7,8 +7,6 @@
allow init system_file:system module_load;
# boot process denial clean up
-allow init debugfs_tracing:dir w_dir_perms;
-allow init debugfs_tracing:file w_file_perms;
allow init sysfs_devices_system_cpu:file relabelfrom;
domain_auto_trans(init, mtk_plpath_utils_exec, update_engine)
diff --git a/bsp/non_plat/bootanim.te b/bsp/non_plat/bootanim.te
index 6d34bc6..fe42976 100644
--- a/bsp/non_plat/bootanim.te
+++ b/bsp/non_plat/bootanim.te
@@ -12,4 +12,3 @@
# Purpose : for gpu access
allow bootanim dri_device:chr_file rw_file_perms;
-allow bootanim debugfs_ion:dir search;
diff --git a/bsp/non_plat/camerapostalgo.te b/bsp/non_plat/camerapostalgo.te
index 9023a6d..3fa35dc 100644
--- a/bsp/non_plat/camerapostalgo.te
+++ b/bsp/non_plat/camerapostalgo.te
@@ -16,7 +16,6 @@
allow camerapostalgo proc_ged:file r_file_perms;
allowxperm camerapostalgo proc_ged:file ioctl { proc_ged_ioctls };
-allow camerapostalgo debugfs_ion:dir search;
# ipc call
hal_client_domain(camerapostalgo, hal_mtk_mms)
diff --git a/bsp/non_plat/capability_app.te b/bsp/non_plat/capability_app.te
index 106af33..ffcf175 100644
--- a/bsp/non_plat/capability_app.te
+++ b/bsp/non_plat/capability_app.te
@@ -6,4 +6,3 @@
# ==============================================
allow capability_app sysfs_boot_mode:file r_file_perms;
-allow capability_app debugfs_ion:dir search;
diff --git a/bsp/non_plat/gatekeeperd.te b/bsp/non_plat/gatekeeperd.te
index bba3640..7f143cb 100644
--- a/bsp/non_plat/gatekeeperd.te
+++ b/bsp/non_plat/gatekeeperd.te
@@ -8,7 +8,6 @@
allow hal_gatekeeper_default mobicore:unix_stream_socket { connectto read write };
allow hal_gatekeeper_default mobicore_user_device:chr_file { read write open ioctl};
-allow hal_gatekeeper_default debugfs_tracing:file write;
allow hal_gatekeeper_default mnt_vendor_file:dir search;
allow hal_gatekeeper_default persist_data_file:dir { write search add_name remove_name};
allow hal_gatekeeper_default persist_data_file:file { write read getattr open create unlink};
diff --git a/bsp/non_plat/hal_drm_widevine.te b/bsp/non_plat/hal_drm_widevine.te
index fb632d2..2c2a4a0 100644
--- a/bsp/non_plat/hal_drm_widevine.te
+++ b/bsp/non_plat/hal_drm_widevine.te
@@ -1,6 +1,3 @@
-allow hal_drm_widevine debugfs_tracing:file write;
-allow hal_drm_widevine debugfs_ion:dir search;
-
# Allow widevine hidl process read keybox stored in /mnt/vendor/persist
allow hal_drm_widevine mnt_vendor_file:dir search;
diff --git a/bsp/non_plat/hal_fingerprint_default.te b/bsp/non_plat/hal_fingerprint_default.te
index 49901f4..4543c7e 100644
--- a/bsp/non_plat/hal_fingerprint_default.te
+++ b/bsp/non_plat/hal_fingerprint_default.te
@@ -17,5 +17,4 @@
allow hal_fingerprint_default mobicore_user_device:unix_stream_socket connectto;
allow hal_fingerprint_default mobicore:unix_stream_socket connectto;
allow hal_fingerprint_default tmpfs:chr_file rw_file_perms;
-allow hal_fingerprint_default debugfs_trace_marker:file rw_file_perms;
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/mediacodec.te b/bsp/non_plat/mediacodec.te
index ea34c6b..f6affa0 100644
--- a/bsp/non_plat/mediacodec.te
+++ b/bsp/non_plat/mediacodec.te
@@ -20,7 +20,6 @@
# Date : WK16.28
# Operation : video codec driver
# Purpose : for performance profiling and timing issue tracking during video playback
-allow mediacodec debugfs_fb:dir search;
# Date : WK16.29
# Operation : Migration
diff --git a/bsp/non_plat/mediaswcodec.te b/bsp/non_plat/mediaswcodec.te
index 60af43c..561e8ad 100644
--- a/bsp/non_plat/mediaswcodec.te
+++ b/bsp/non_plat/mediaswcodec.te
@@ -1,7 +1,6 @@
# Date : WK19.25
# Operation : Migration
# Purpose : [ALPS04666895] DRTS failed due to avc denied
-allow mediaswcodec debugfs_ion:dir rw_dir_perms;
allow mediaswcodec gpu_device:dir rw_dir_perms;
allow mediaswcodec dri_device:chr_file rw_file_perms;
allow mediaswcodec gpu_device:chr_file rw_file_perms;
\ No newline at end of file
diff --git a/bsp/non_plat/mtk_advcamserver.te b/bsp/non_plat/mtk_advcamserver.te
index c5be294..32f5d78 100644
--- a/bsp/non_plat/mtk_advcamserver.te
+++ b/bsp/non_plat/mtk_advcamserver.te
@@ -9,6 +9,5 @@
allow mtk_advcamserver hal_graphics_allocator_default:fd use;
allow mtk_advcamserver hal_graphics_mapper_hwservice:hwservice_manager find;
-allow mtk_advcamserver debugfs_ion:dir search;
allow mtk_advcamserver proc_perfmgr:dir search;
allow mtk_advcamserver proc_perfmgr:file r_file_perms;
diff --git a/bsp/non_plat/mtk_hal_keyinstall.te b/bsp/non_plat/mtk_hal_keyinstall.te
index 43978f7..b97bd39 100644
--- a/bsp/non_plat/mtk_hal_keyinstall.te
+++ b/bsp/non_plat/mtk_hal_keyinstall.te
@@ -24,4 +24,3 @@
allow mtk_hal_keyinstall key_install_data_file:dir { write add_name remove_name search };
allow mtk_hal_keyinstall key_install_data_file:file { write create setattr read getattr unlink open append };
-allow mtk_hal_keyinstall debugfs_tracing:file { write };
diff --git a/bsp/non_plat/mtk_hal_neuralnetworks.te b/bsp/non_plat/mtk_hal_neuralnetworks.te
index 4ec2c13..edce950 100644
--- a/bsp/non_plat/mtk_hal_neuralnetworks.te
+++ b/bsp/non_plat/mtk_hal_neuralnetworks.te
@@ -8,7 +8,6 @@
hal_server_domain(mtk_hal_neuralnetworks, hal_neuralnetworks)
allow mtk_hal_neuralnetworks ion_device:chr_file rw_file_perms;
-allow mtk_hal_neuralnetworks debugfs_ion:dir r_dir_perms;
allow mtk_hal_neuralnetworks vpu_device:chr_file rw_file_perms;
allow mtk_hal_neuralnetworks mdla_device:chr_file rw_file_perms;
allow mtk_hal_neuralnetworks apusys_device:chr_file rw_file_perms;
diff --git a/bsp/non_plat/mtk_hal_wfo.te b/bsp/non_plat/mtk_hal_wfo.te
index 1b97183..31ee3a9 100644
--- a/bsp/non_plat/mtk_hal_wfo.te
+++ b/bsp/non_plat/mtk_hal_wfo.te
@@ -12,4 +12,3 @@
# Operation : IT
# Purpose: WifiOffloadService HIDL Migration
allow mtk_hal_wfo mal_mfi_socket:sock_file write;
-allow mtk_hal_wfo debugfs_tracing:file w_file_perms;
diff --git a/bsp/non_plat/platform_app.te b/bsp/non_plat/platform_app.te
index 8fc1bc8..d3ed7d9 100644
--- a/bsp/non_plat/platform_app.te
+++ b/bsp/non_plat/platform_app.te
@@ -54,7 +54,6 @@
allow platform_app mtk_hal_pplagent_hwservice:hwservice_manager find;
allow platform_app ppl_agent:binder call;
-allow platform_app debugfs_ion:dir search;
# Date: 2018/06/19
# Operation: Migration
diff --git a/bsp/non_plat/priv_app.te b/bsp/non_plat/priv_app.te
deleted file mode 100644
index 8ab7039..0000000
--- a/bsp/non_plat/priv_app.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# ==============================================
-# Common SEPolicy Rule
-# ==============================================
-
-# Date: 2019/06/17
-# Operation: Migration
-# Purpose: allow priv_app to search debugfs_ion dir
-allow priv_app debugfs_ion:dir search;
diff --git a/bsp/non_plat/system_app.te b/bsp/non_plat/system_app.te
index fdf05f8..e996d85 100644
--- a/bsp/non_plat/system_app.te
+++ b/bsp/non_plat/system_app.te
@@ -39,11 +39,6 @@
# Purpose: Allow to use HAL PQ
hal_client_domain(system_app, hal_mtk_pq)
-# Date : WK17.29
-# Operation : Migration
-# Purpose : for device bring up, not to block early SQC
-allow system_app debugfs_ion:dir search;
-
# Date:W17.29
# Operation : presence hal developing
# Purpose : Allow to use HAL presence
@@ -116,7 +111,6 @@
# Date: 2018/04/18
# Purpose: Allow to use HIDL and access mtk_hal_neuralnetworks
allow system_app mtk_hal_neuralnetworks:binder { call transfer };
-allow system_app debugfs_ion:dir search;
# Date: 2018/10/31
# Operation: Support SubsidyLock
diff --git a/bsp/non_plat/system_server.te b/bsp/non_plat/system_server.te
index 2f3c0c4..053a321 100644
--- a/bsp/non_plat/system_server.te
+++ b/bsp/non_plat/system_server.te
@@ -76,9 +76,6 @@
# Date : W19.12
# Operation : For DuraSpeed Migration
allow system_server proc_cpu_loading:file rw_file_perms;
-userdebug_or_eng(`
-allow system_server debugfs_tracing_debug:file r_file_perms;
-')
allow system_server proc_low_memory_hit:file rw_file_perms;
allow system_server duraspeed_data_file:dir create_dir_perms;
allow system_server duraspeed_data_file:file create_file_perms;
diff --git a/bsp/non_plat/untrusted_app.te b/bsp/non_plat/untrusted_app.te
index 020625d..def686c 100644
--- a/bsp/non_plat/untrusted_app.te
+++ b/bsp/non_plat/untrusted_app.te
@@ -28,7 +28,6 @@
# Date: 2018/04/18
# Purpose: Allow untrusted_app to use HIDL and access mtk_hal_neuralnetworks
allow untrusted_app mtk_hal_neuralnetworks:binder { call transfer };
-allow untrusted_app debugfs_ion:dir search;
# Date: 2020/06/29
# Operation : eMBMS Migration
diff --git a/bsp/non_plat/untrusted_app_all.te b/bsp/non_plat/untrusted_app_all.te
index ba97cd0..12f2447 100644
--- a/bsp/non_plat/untrusted_app_all.te
+++ b/bsp/non_plat/untrusted_app_all.te
@@ -4,11 +4,6 @@
# Date: 2019/06/17
# Operation : Migration
-# Purpose :allow untrusted_app to search debugfs_ion dir
-allow untrusted_app_all debugfs_ion:dir search;
-
-# Date: 2019/06/17
-# Operation : Migration
# Purpose :allow untrusted_app to search sysfs_mmcblk dir
allow untrusted_app_all sysfs_devices_block:dir search;
get_prop(untrusted_app_all, vendor_mtk_nn_option_prop)
diff --git a/bsp/non_plat/volte_clientapi_ua.te b/bsp/non_plat/volte_clientapi_ua.te
index 1401954..9643d7d 100644
--- a/bsp/non_plat/volte_clientapi_ua.te
+++ b/bsp/non_plat/volte_clientapi_ua.te
@@ -19,4 +19,3 @@
# Operation : IT
# Purpose: clientapi HIDL Migration
get_prop(volte_clientapi_ua, hwservicemanager_prop)
-allow volte_clientapi_ua debugfs_tracing:file w_file_perms;
diff --git a/bsp/non_plat/volte_rcs_ua.te b/bsp/non_plat/volte_rcs_ua.te
index c4aa31d..4a53788 100644
--- a/bsp/non_plat/volte_rcs_ua.te
+++ b/bsp/non_plat/volte_rcs_ua.te
@@ -15,11 +15,6 @@
# call into system_app process (callbacks)
binder_call(volte_rcs_ua, system_app)
-# Date : W17.31
-# Operation : IT
-# Purpose: Rcs HIDL Migration
-allow volte_rcs_ua debugfs_tracing:file { write open };
-
# Date : W1747
# Operation: RCS over Internet development
# Purpose: For volte_rcs_ua to be able to talk to rcs_volte_stack
diff --git a/bsp/non_plat/vtservice.te b/bsp/non_plat/vtservice.te
index 7170501..c39f7db 100644
--- a/bsp/non_plat/vtservice.te
+++ b/bsp/non_plat/vtservice.te
@@ -122,7 +122,6 @@
allow vtservice self:udp_socket create_socket_perms_no_ioctl;
allow vtservice node:udp_socket node_bind;
-allow vtservice debugfs_ion:dir search;
allow vtservice fwmarkd_socket:sock_file write;
allow vtservice hal_graphics_allocator_default:binder call;
allow vtservice hal_graphics_allocator_default:fd use;
diff --git a/bsp/non_plat/vtservice_hidl.te b/bsp/non_plat/vtservice_hidl.te
index 58daa01..60675e3 100644
--- a/bsp/non_plat/vtservice_hidl.te
+++ b/bsp/non_plat/vtservice_hidl.te
@@ -36,7 +36,6 @@
get_prop(vtservice_hidl, hwservicemanager_prop)
-allow vtservice_hidl debugfs_tracing:file w_file_perms;
allow vtservice_hidl system_file:dir r_file_perms;
allow vtservice_hidl rild:unix_stream_socket connectto;