From 0dda188cad8416cd903916aa0a720746721ed810 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Mon, 2 May 2022 12:54:48 +0900
Subject: [PATCH] Allow untrusted app to use virtualizationservice - even on
 user builds

This only makes it difficult to run (test/demo) apps using AVF. They
have to be pre-installed on the device which is infeasible on
user-build devices.

Removing the guard so that untrusted apps can use virtualizationservice
even on user builds. Note that the use is still gated by the
MANAGE_VIRTUAL_MACHINE permission, which can be granted only by
pre-installing or explicitly via `adb shell pm grant`. So there's no
risk of 3p apps downloaded from the net having its own VM.

Ignore-AOSP-First: will cherry-pick to AOSP

Bug: 231080171
Test: run MicrodroidDemoApp on a user build
Change-Id: Ie0b1b9801dd7726633f97456a38bc0ea349013db
---
 private/untrusted_app_all.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index ceee544f4..26077f376 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,9 +176,7 @@ userdebug_or_eng(`
 # permission. The protection level of the permission is `signature|development`
 # so that it can only be granted to either platform-key signed apps or
 # test-only apps having `android:testOnly="true"` in its manifest.
-userdebug_or_eng(`
-  virtualizationservice_use(untrusted_app_all)
-')
+virtualizationservice_use(untrusted_app_all)
 
 with_native_coverage(`
   # Allow writing coverage information to /data/misc/trace