Restrict setting cpu affinity or task profiles

Require the USE_CUSTOM_VIRTUAL_MACHINE permission so that only
platform signed code can use these features.

Bug: 243513572
Test: atest MicrodroidTests MicrodroidHostTestCases
Tests: composd_cmd test-compile
Change-Id: I2735995789d12aae57217f0b9b0b493055f11843
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 352b4f1..dcc2d48 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -596,6 +596,12 @@
     config: &VirtualMachineAppConfig,
     temporary_directory: &Path,
 ) -> Result<VirtualMachineRawConfig> {
+    // Controlling CPUs is reserved for platform apps only, even when using
+    // VirtualMachineAppConfig.
+    if config.cpuAffinity.is_some() || !config.taskProfiles.is_empty() {
+        check_use_custom_virtual_machine()?
+    }
+
     let apk_file = clone_file(config.apk.as_ref().unwrap())?;
     let idsig_file = clone_file(config.idsig.as_ref().unwrap())?;
     let instance_file = clone_file(config.instanceImage.as_ref().unwrap())?;