Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f

commit: 30608520bf24b3e69b8e77a8140f293936deec70 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Mon Oct 24 12:32:34 2022 +0100
committer: Alan Stokes <alanstokes@google.com> Mon Oct 24 15:33:02 2022 +0100
tree: f1848eab58718d86e33f1cc4ee247bd11b8f126c
parent: 7e707248b204b95caf866a5506d7dc2fb7427ea1 [diff] [blame]
diff --git a/private/priv_app.te b/private/priv_app.te
index 9d7a0f6..4dcd1fb 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -201,6 +201,11 @@
 # created by things like renderscript or via other mechanisms.
 allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
 
+# Allow privileged apps to create a VM. Note that access is still
+# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission.
+virtualizationservice_use(priv_app)
+
 ###
 ### neverallow rules
 ###
commit	30608520bf24b3e69b8e77a8140f293936deec70	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Mon Oct 24 12:32:34 2022 +0100
committer	Alan Stokes <alanstokes@google.com>	Mon Oct 24 15:33:02 2022 +0100
tree	f1848eab58718d86e33f1cc4ee247bd11b8f126c
parent	7e707248b204b95caf866a5506d7dc2fb7427ea1 [diff] [blame]