Add new CTS tag around physical device assert
Cuttlefish sets PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER to
true. This grants a dangerous permission to system_server, which must
never be granted on physical device.
Mark this assertion with a new tag which can be interpreted at runtime
by CTS.
Bug: 406890511
Test: atest CtsSecurityHostTestCases:android.security.cts.SELinuxNeverallowRulesTest
Flag: TEST_ONLY
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5da91e5812b938fef8179e98eaac2e193946fb68)
Merged-In: Ibcbbf91d3e884e6a43d472f1e8b59c86cff1ba3e
Change-Id: Ibcbbf91d3e884e6a43d472f1e8b59c86cff1ba3e
diff --git a/private/system_server.te b/private/system_server.te
index c0c1c4b..29db20e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1467,7 +1467,7 @@
# never shipped to users.
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
`allow system_server self:process execmem;',
- `neverallow system_server self:process execmem;')
+ on_physical_device(`neverallow system_server self:process execmem;'))
neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/public/te_macros b/public/te_macros
index f08e81e..e547eba 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -622,6 +622,18 @@
#
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+#####################################
+# On physical devices
+# SELinux neverallow assertions that are enforced only on physical devices. It
+# can be used to support special requirements for virtual devices. This is
+# equivalent to the @RequiresDevice annotation in CTS.
+#
+define(`on_physical_device',
+# BEGIN_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+)
+
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#