Merge cherrypicks of ['googleplex-android-review.googlesource.com/33077800'] into 25Q2-release.
Change-Id: I6444e11f919f6f2fee2c99d60721bbd39229061a
diff --git a/private/system_server.te b/private/system_server.te
index c0c1c4b..29db20e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1467,7 +1467,7 @@
# never shipped to users.
ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
`allow system_server self:process execmem;',
- `neverallow system_server self:process execmem;')
+ on_physical_device(`neverallow system_server self:process execmem;'))
neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
# TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/public/te_macros b/public/te_macros
index f08e81e..e547eba 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -622,6 +622,18 @@
#
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
+#####################################
+# On physical devices
+# SELinux neverallow assertions that are enforced only on physical devices. It
+# can be used to support special requirements for virtual devices. This is
+# equivalent to the @RequiresDevice annotation in CTS.
+#
+define(`on_physical_device',
+# BEGIN_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+)
+
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#