sepolicy : cleanup rule accessing to "sysfs"

As part of security hardening access to sysfs label related
sepolicy rules should be removed.
So cleaning all the  directory  reads  and   sysfs:file access
which were seen in the following .
  hal_bootctl
  hal_gnss_qti
  hal_pasrmanager
  pd_services
  ssr_diag
  ssr_setup
  thermal-engine
  qmuxd
  sensors
  hal_perf_default

Change-Id: I51e98a3f68211357e2bb1455f28a96fc3aad4d88

generic/vendor/common/hal_bootctl.te

@@ -55,9 +55,6 @@ allow hal_bootctl sg_device:chr_file rw_file_perms;
 # does not result in a error
 dontaudit hal_bootctl self:capability sys_rawio;
 
-# Read the sysfs to lookup what /dev/sgN device
-# corresponds to the XBL partitions.
-allow hal_bootctl sysfs:dir r_dir_perms;
 
 # Write to the XBL devices.
 allow hal_bootctl xbl_block_device:blk_file rw_file_perms;

generic/vendor/common/init_shell.te

@@ -43,7 +43,6 @@ allow qti_init_shell vendor_toolbox_exec:file  rx_file_perms;
 # For getting idle_time value
 # this is needed for dynamic_fps and bw_mode_bitmap
 allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
-allow qti_init_shell sysfs:file setattr;
 
 allow qti_init_shell mnt_vendor_file:dir w_dir_perms;
 allow qti_init_shell mnt_vendor_file:file create_file_perms;
@@ -135,7 +134,6 @@ allow qti_init_shell sysfs_kgsl:file { r_file_perms setattr };
 
 allow qti_init_shell proc:file r_file_perms;
 allow qti_init_shell rootfs:file r_file_perms;
-allow qti_init_shell sysfs:file r_file_perms;
 
 allow qti_init_shell radio_vendor_data_file:dir create_dir_perms;
 allow qti_init_shell radio_vendor_data_file:file create_file_perms;

generic/vendor/common/qti.te

@@ -44,4 +44,3 @@ userdebug_or_eng(`
     allow qti { sysfs_data sysfs_timestamp_switch} :file r_file_perms;
 ')
 allow qti mhi_device:chr_file rw_file_perms;
-allow qti sysfs:dir r_dir_perms;

generic/vendor/common/sensors.te

@@ -55,7 +55,6 @@ allow sensors sensors_vendor_data_file:file create_file_perms;
 allow sensors system_file:dir r_dir_perms;
 allow sensors sensors_device:chr_file rw_file_perms;
 
-allow sensors sysfs:dir r_dir_perms;
 allow sensors sysfs_soc:file w_file_perms;
 allow sensors sysfs_data:file r_file_perms;
 

legacy/vendor/common/hal_bootctl.te

@@ -51,7 +51,6 @@ allow hal_bootctl root_block_device:blk_file rw_file_perms;
 # A/B slot selection for the XBL partition. Allow also to issue a
 # UFS_IOCTL_QUERY ioctl.
 allow hal_bootctl sg_device:chr_file rw_file_perms;
-allow hal_bootctl sysfs:dir r_dir_perms;
 
 # The sys_rawio denial message is benign, and shows up due to a capability()
 # call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this

legacy/vendor/common/hal_gnss_qti.te

@@ -52,7 +52,6 @@ allow hal_gnss self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_re
 
 allow hal_gnss self:{ socket qipcrtr_socket } rw_socket_perms;
 allow hal_gnss sysfs_data:file r_file_perms;
-allow hal_gnss sysfs:dir r_dir_perms;
 
 allow hal_gnss self:socket { create ioctl };
 

legacy/vendor/common/hal_pasrmanager.te

@@ -36,6 +36,5 @@ binder_call(hal_pasrmanager_client, hal_pasrmanager_server)
 add_hwservice(hal_pasrmanager_server, hal_pasrmanager_hwservice)
 allow hal_pasrmanager_client hal_pasrmanager_hwservice:hwservice_manager find;
 
-allow hal_pasrmanager_qti sysfs:dir r_dir_perms;
 allow hal_pasrmanager_qti sysfs_memory_offline:file rw_file_perms;
 allow hal_pasrmanager_qti sysfs_memory_offline:dir r_dir_perms;

legacy/vendor/common/hal_perf_default.te

@@ -61,7 +61,6 @@ allow hal_perf {
     sysfs_msm_perf
     sysfs_memory
     sysfs_graphics
-    sysfs
     sysfs_msm_power
     sysfs_battery_supply
     sysfs_process_reclaim

legacy/vendor/common/init.te

@@ -67,8 +67,6 @@ allow init sysfs_boot_adsp:file write;
 allow init sysfs_slpi:file write;
 allow init sysfs_graphics:file setattr;
 
-#dontaudit non configfs usb denials
-dontaudit init sysfs:dir write;
 
 #load /vendor/lib/modules/qca_cld3/qca_cld3_wlan.ko
 #load /vendor/lib/modules/wil6210.ko

legacy/vendor/common/pd_services.te

@@ -41,7 +41,6 @@ allow vendor_pd_mapper self:capability { setpcap setuid setgid net_bind_service
 allow vendor_pd_mapper smem_log_device:chr_file rw_file_perms;
 qmux_socket(vendor_pd_mapper);
 
-allow vendor_pd_mapper sysfs:file r_file_perms;
 allow vendor_pd_mapper sysfs_data:file r_file_perms;
 
 #Allow pd-mapper to write error strings from non-hlos side to kmsg

legacy/vendor/common/peripheral_manager.te

@@ -47,7 +47,6 @@ allow vendor_per_mgr ssr_device:chr_file r_file_perms;
 
 # Needed by libmdmdetect to get subsystem info and to check their states
 r_dir_file(vendor_per_mgr, firmware_file)
-r_dir_file(vendor_per_mgr, sysfs)
 allow vendor_per_mgr sysfs_data:file r_file_perms;
 
 # Set the peripheral state property

legacy/vendor/common/qmuxd.te

@@ -59,8 +59,6 @@ allow qmuxd {
 #Allow qmuxd to operate in platform specific transports
 allow qmuxd {
     sysfs_smd_open_timeout
-    #Allow qmuxd to write in hsic specific transport
-    sysfs
     sysfs_hsic_modem_wait
 }:file w_file_perms;
 

legacy/vendor/common/sensors.te

@@ -95,7 +95,6 @@ userdebug_or_eng(`
 #binder_call(sensors, servicemanager)
 binder_call(sensors, vendor_per_mgr)
 
-allow sensors sysfs:dir r_dir_perms;
 allow sensors sysfs_socinfo:file w_file_perms;
 allow sensors sysfs_data:file r_file_perms;
 

legacy/vendor/common/spdaemon.te

@@ -54,8 +54,6 @@ allow spdaemon ion_device:chr_file rw_file_perms;
 # Allow to load SPSS firmware images
 r_dir_file(spdaemon, firmware_file);
 
-# Allow get system info
-r_dir_file(spdaemon, sysfs)
 
 # Allow SPSS-PIL via Peripheral Manager
 #binder_use(spdaemon)

legacy/vendor/common/ssr_diag.te

@@ -30,6 +30,5 @@ type vendor_ssr_diag_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_ssr_diag);
 
 userdebug_or_eng(`
-  allow vendor_ssr_diag sysfs:file w_file_perms;
   diag_use(vendor_ssr_diag)
 ')

legacy/vendor/common/ssr_setup.te

@@ -38,7 +38,6 @@ allow vendor_ssr_setup sysfs_ssr_toggle:file rw_file_perms;
 
 # Keeping this here till sysfs labeling is resolved
 allow vendor_ssr_setup sysfs_data:file r_file_perms;
-allow vendor_ssr_setup sysfs:file w_file_perms;
 allow vendor_ssr_setup sysfs_data:file r_file_perms;
 
 get_prop(vendor_ssr_setup, vendor_ssr_prop)

legacy/vendor/common/thermal-engine.te

@@ -54,13 +54,12 @@ allow thermal-engine socket_device:dir w_dir_perms;
 
 # This is required for thermal sysfs access
 r_dir_file(thermal-engine, sysfs_thermal)
-allow thermal-engine { sysfs_thermal sysfs }:file w_file_perms;
+allow thermal-engine sysfs_thermal:file w_file_perms;
 
 # This is required for qmi access
 qmux_socket(thermal-engine);
 allow thermal-engine sysfs_mpdecision:file rw_file_perms;
 
-r_dir_file(thermal-engine, sysfs)
 r_dir_file(thermal-engine, sysfs_leds)
 
 # This is required for wake alarm access

qva/vendor/common/hal_perf_default.te

@@ -61,7 +61,6 @@ allow hal_perf {
      sysfs_msm_perf
      sysfs_memory
      sysfs_graphics
-     sysfs
      sysfs_msm_power
      sysfs_battery_supply
      sysfs_process_reclaim

qva/vendor/common/spdaemon.te

@@ -32,7 +32,6 @@ type spdaemon_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(spdaemon)
 allow spdaemon spcom_device:chr_file { getattr rw_file_perms };
-r_dir_file(spdaemon, sysfs)
 allow spdaemon skp_device:chr_file { getattr rw_file_perms };
 # Need to check if really needed
 set_prop(spdaemon, spcomlib_prop)