Add vendor_executes_system_violators attribute

Temporary attribute (checked against in CTS) to point out vendor
processes that run /system executables. These are currently only down to
2-3 of them that are related to telephony on sailfish

Bug: 36463595
Test: Build succeeds for sailfish
Test: ./cts-tradefed run cts -m CtsSecurityHostTestCases -t \
          android.security.cts.SELinuxHostTest#testNoExemptionsForVendorExecutingCore \
          --skip-device-info --skip-preconditions --skip-connectivity-check \
          --abi arm64-v8a

Change-Id: I9eb40ad259aefba73869d6a1b40186d33fa475dd
Signed-off-by: Sandeep Patil <sspatil@google.com>

public/attributes

@@ -141,6 +141,11 @@ attribute binder_in_vendor_violators;
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
 
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients

public/domain.te

@@ -680,20 +680,18 @@ full_treble_only(`
 
     # Do not allow vendor components to execute files from system
     # except for the ones whitelist here.
-    # TODO:(b/36463595) Make this a neverallow
-    userdebug_or_eng(`
-        auditallow {
-            domain
-            -coredomain
-            -appdomain
-            -rild
-        } {
-            exec_type
-            -vendor_file_type
-            -crash_dump_exec
-            -netutils_wrapper_exec
-        }:file { entrypoint execute execute_no_trans };
-    ')
+    neverallow {
+        domain
+        -coredomain
+        -appdomain
+        -rild
+        -vendor_executes_system_violators
+    } {
+        exec_type
+        -vendor_file_type
+        -crash_dump_exec
+        -netutils_wrapper_exec
+    }:file { entrypoint execute execute_no_trans };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache