Restrict VM usage to platform_app. Remove access from untrusted apps and instead grant it to platform_app (but on user builds as well as debug). Also restrict any app from creating a vsock_socket; using an already created one is fine. Bug: 193373841 Test: Microdroid demo app now gets a denial Test: Rebuild demo with certifcate: platform, adb install, no denial Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d

commit: f96cd6557e56347002a9121f172a06cae0eb1d05 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Tue Sep 07 12:25:38 2021 +0100
committer: Inseob Kim <inseob@google.com> Thu Sep 09 02:30:43 2021 +0000
tree: ed435e636ab6062aff605c9e494f644cfa487048
parent: c71b2c18cc35e9299bd8239e88d37ccb35227372 [diff] [blame]
diff --git a/private/platform_app.te b/private/platform_app.te
index 55ccbde..a69c45e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -108,6 +108,9 @@
 # Allow platform apps to act as Perfetto producers.
 perfetto_producer(platform_app)
 
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
 ###
 ### Neverallow rules
 ###
commit	f96cd6557e56347002a9121f172a06cae0eb1d05	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Tue Sep 07 12:25:38 2021 +0100
committer	Inseob Kim <inseob@google.com>	Thu Sep 09 02:30:43 2021 +0000
tree	ed435e636ab6062aff605c9e494f644cfa487048
parent	c71b2c18cc35e9299bd8239e88d37ccb35227372 [diff] [blame]