Allow priv apps to use virtualizationservice
And allow VS and crosvm access to privapp_data_file, to the same
extent as app_data_file.
Update some comments, move a neverallow to the bottom of the file with
the others.
Bug: 255286871
Test: Install demo app to system/priv-app, see it work without explicit grant.
Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 26077f3..0b4b919 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -171,11 +171,13 @@
allow untrusted_app_all self:lockdown integrity;
')
-# Allow running a VM for test/demo purposes. Note that access the service is
-# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
-# permission. The protection level of the permission is `signature|development`
-# so that it can only be granted to either platform-key signed apps or
-# test-only apps having `android:testOnly="true"` in its manifest.
+# Allow running a VM for test/demo purposes. Note that access to the
+# service is still guarded with the
+# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
+# protection level of the permission is
+# `signature|privileged|development` so that it can only be granted to
+# either platform-key signed apps, privileged apps, or test-only apps
+# having `android:testOnly="true"` in their manifest.
virtualizationservice_use(untrusted_app_all)
with_native_coverage(`