Merge "Add vendor_executes_system_violators attribute" into oc-dev

am: 80cab7de

Change-Id: Iba1cf44b3e7c965b8ea7033b80a25393730512e9

public/attributes

@@ -141,6 +141,11 @@ attribute binder_in_vendor_violators;
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
 
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients

public/domain.te

@@ -680,13 +680,12 @@ full_treble_only(`
 
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
-    # TODO:(b/36463595) Make this a neverallow
-    userdebug_or_eng(`
-        auditallow {
+    neverallow {
         domain
         -coredomain
         -appdomain
         -rild
+        -vendor_executes_system_violators
     } {
         exec_type
         -vendor_file_type
@@ -694,7 +693,6 @@ full_treble_only(`
         -netutils_wrapper_exec
     }:file { entrypoint execute execute_no_trans };
 ')
-')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {