Merge cherrypicks of ['googleplex-android-review.googlesource.com/33077800'] into 25Q2-release.

Change-Id: I6444e11f919f6f2fee2c99d60721bbd39229061a
diff --git a/private/system_server.te b/private/system_server.te
index c0c1c4b..29db20e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1467,7 +1467,7 @@
 # never shipped to users.
 ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
   `allow system_server self:process execmem;',
-  `neverallow system_server self:process execmem;')
+  on_physical_device(`neverallow system_server self:process execmem;'))
 neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
 # TODO: deal with tmpfs_domain pub/priv split properly
diff --git a/public/te_macros b/public/te_macros
index f08e81e..e547eba 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -622,6 +622,18 @@
 #
 define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
 
+#####################################
+# On physical devices
+# SELinux neverallow assertions that are enforced only on physical devices. It
+# can be used to support special requirements for virtual devices. This is
+# equivalent to the @RequiresDevice annotation in CTS.
+#
+define(`on_physical_device',
+# BEGIN_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_PHYSICAL_DEVICE_ONLY -- this marker is used by CTS -- do not modify
+)
+
 ####################################
 # Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
 #