selinux : remove net_admin and root user/group

1) remove net_admin in cnss_diag.te and cnss-daemon.te

2) change the root user/group to system user/group of cnss_diag

Bug: 35326998
Bug: 32775496
Bug: 28340421

Change-Id: I2efd45395c9dcd32ae1075cbbb50aa205750f038
Signed-off-by: Ecco Park <eccopark@google.com>

init.common.diag.rc.userdebug

@@ -107,8 +107,8 @@ on property:persist.sys.cnss.diag_txt=false
 
 service cnss_diag_txt /system/bin/cnss_diag -s -f -m /data/cnss_diag/cnss_diag.conf
     class late_start
-    user root
-    group root
+    user system
+    group system
     disabled
     oneshot
 

init.common.rc

@@ -664,14 +664,14 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \
 
 service cnss_diag /system/bin/cnss_diag -q
     class late_start
-    user root
-    group root
+    user system
+    group system
     oneshot
 
 service cnss-daemon /system/bin/cnss-daemon -n -l
     class late_start
     user system
-    group system inet net_admin wifi
+    group system inet wifi
 
 service loc_launcher /system/bin/loc_launcher
     #loc_launcher will start as root and set its uid to gps

sepolicy/cnss-daemon.te

@@ -2,13 +2,9 @@
 type cnss-daemon, domain;
 type cnss-daemon_exec, exec_type, file_type;
 
-# STOPSHIP b/28340421
-# Temporarily grant this permission and log its use.
 allow cnss-daemon self:capability {
-    net_admin
     net_bind_service
 };
-auditallow cnss-daemon self:capability net_admin;
 
 init_daemon_domain(cnss-daemon)
 

sepolicy/cnss_diag.te

@@ -2,11 +2,6 @@
 type cnss_diag, domain;
 type cnss_diag_exec, exec_type, file_type;
 
-# STOPSHIP b/28340421
-# Temporarily grant this permission and log its use.
-allow cnss_diag self:capability net_admin;
-auditallow cnss_diag self:capability net_admin;
-
 init_daemon_domain(cnss_diag)
 
 allow cnss_diag self:capability { setgid setuid };