Add new CTS tag around physical device assert Cuttlefish sets PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER to true. This grants a dangerous permission to system_server, which must never be granted on physical device. Mark this assertion with a new tag which can be interpreted at runtime by CTS. Bug: 406890511 Test: atest CtsSecurityHostTestCases:android.security.cts.SELinuxNeverallowRulesTest Flag: TEST_ONLY (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5da91e5812b938fef8179e98eaac2e193946fb68) Merged-In: Ibcbbf91d3e884e6a43d472f1e8b59c86cff1ba3e Change-Id: Ibcbbf91d3e884e6a43d472f1e8b59c86cff1ba3e

commit: 7ceaaae55f65e18e29260f8bbbb0399b733d2b55 [log] [tgz]
author: Thiébaud Weksteen <tweek@google.com> Mon Apr 07 13:31:27 2025 +1000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Apr 17 20:19:37 2025 -0700
tree: 9d26d54e44cb0c7ee06496ff684bcd218f646858
parent: 4f274be3c945dc02c48b2b6e5abf26b7ffd2ee26 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index c0c1c4b..29db20e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1467,7 +1467,7 @@
 # never shipped to users.
 ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
   `allow system_server self:process execmem;',
-  `neverallow system_server self:process execmem;')
+  on_physical_device(`neverallow system_server self:process execmem;'))
 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
 # TODO: deal with tmpfs_domain pub/priv split properly
commit	7ceaaae55f65e18e29260f8bbbb0399b733d2b55	[log] [tgz]
author	Thiébaud Weksteen <tweek@google.com>	Mon Apr 07 13:31:27 2025 +1000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Thu Apr 17 20:19:37 2025 -0700
tree	9d26d54e44cb0c7ee06496ff684bcd218f646858
parent	4f274be3c945dc02c48b2b6e5abf26b7ffd2ee26 [diff] [blame]