Allow test apps to use the virtualizationservice
The existing host-side tests for virtualizationservice will be migrated
to device tests. In order for the self-instrumented test apks be able to
talk to the service, re-introduce the allow rule only for the
non-production builds.
Note that the access to the service is still guarded with the app
permission whose protection level now has the 'development' bit. So,
ordinary apks that are not testing-purpose (i.e. no
android:testOnly="true") can't use the service.
Bug: 203483081
Test: run MicrodroidDemoApp
Change-Id: Ia441fc5ca0a1f076d2e267a26e0df7c11730ec94
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 98d83af..d6f237c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,6 +176,15 @@
# the profiler (which would be profiling the app that is sending the signal).
allow untrusted_app_all simpleperf:process signal;
+# Allow running a VM for test/demo purposes. Note that access the service is
+# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission. The protection level of the permission is `signature|development`
+# so that it can only be granted to either platform-key signed apps or
+# test-only apps having `android:testOnly="true"` in its manifest.
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
+
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
allow domain method_trace_data_file:dir create_dir_perms;